Spring Framework UriComponentsBuilder Vulnerability
CVE-2024-22259
What is CVE-2024-22259?
The CVE-2024-22259 vulnerability affects the Spring Framework, a widely used component in Java-based applications. The vulnerability allows for open redirect attacks and server-side request forgery (SSRF) if applications use the UriComponentsBuilder functionality to process URLs from external sources. This poses a high risk, as it could lead to phishing attacks and unauthorized requests to internal systems or external networks. The affected versions include Spring Framework 6.1.0 to 6.1.4, 6.0.0 to 6.0.17, and 5.3.0 to 5.3.32, as well as older unsupported versions. It is crucial for users to upgrade to the fixed versions (6.1.56, 6.0.18, and 5.3.33) to mitigate the risk. Staying vigilant and keeping software dependencies up to date is essential to prevent attackers from exploiting known security holes.
Affected Version(s)
Spring Framework 6.1.x
Spring Framework 6.1.x < 6.1.5
Spring Framework 6.0.x < 6.0.18
News Articles
Daily.devCVE-2024-22259CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report) | daily.dev
Applications using UriComponentsBuilder for parsing URLs may be vulnerable to open redirect or SSRF attacks if host validation checks are bypassed.
securityonline.infoCVE-2024-22259CVE-2024-22259 Archives
VulnerabilityMarch 14, 2024CVE-2024-22259: Spring Framework Update Fixes High-Severity FlawThe popular Spring Framework, a cornerstone of many Java-based applications, has received a crucial security update....
securityonline.infoCVE-2024-22259CVE-2024-22259: Spring Framework Update Fixes High-Severity Flaw
The popular Spring Framework has received a crucial security update. This patch addresses a high-severity flaw designated CVE-2024-22259
References
EPSS Score
13% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability published
- 📰
First article discovered by Daily.dev
Vulnerability Reserved