Spring Framework UriComponentsBuilder Vulnerability
CVE-2024-22259

8.1HIGH

Key Information:

Vendor
Spring
Status
Spring Framework
Vendor
CVE Published:
16 March 2024

Badges

🟣 EPSS 13%📰 News Worthy

Summary

The CVE-2024-22259 vulnerability affects the Spring Framework, a widely used component in Java-based applications. The vulnerability allows for open redirect attacks and server-side request forgery (SSRF) if applications use the UriComponentsBuilder functionality to process URLs from external sources. This poses a high risk, as it could lead to phishing attacks and unauthorized requests to internal systems or external networks. The affected versions include Spring Framework 6.1.0 to 6.1.4, 6.0.0 to 6.0.17, and 5.3.0 to 5.3.32, as well as older unsupported versions. It is crucial for users to upgrade to the fixed versions (6.1.56, 6.0.18, and 5.3.33) to mitigate the risk. Staying vigilant and keeping software dependencies up to date is essential to prevent attackers from exploiting known security holes.

Affected Version(s)

Spring Framework 6.1.x

Spring Framework 6.1.x < 6.1.5

Spring Framework 6.0.x < 6.0.18

News Articles

CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report) | daily.dev

Applications using UriComponentsBuilder for parsing URLs may be vulnerable to open redirect or SSRF attacks if host validation checks are bypassed.

CVE-2024-22259 Archives

VulnerabilityMarch 14, 2024CVE-2024-22259: Spring Framework Update Fixes High-Severity FlawThe popular Spring Framework, a cornerstone of many Java-based applications, has received a crucial security update....

CVE-2024-22259: Spring Framework Update Fixes High-Severity Flaw

The popular Spring Framework has received a crucial security update. This patch addresses a high-severity flaw designated CVE-2024-22259

References

EPSS Score

13% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 📰

    First article discovered by Daily.dev

  • Vulnerability Reserved

.