Spring UriComponentsBuilder Vulnerability: Open Redirect and SSRF Risks
CVE-2024-22262

8.1HIGH

Key Information:

Vendor

Spring

Vendor
CVE Published:
16 April 2024

What is CVE-2024-22262?

VMware’s Spring Framework is susceptible to vulnerabilities arising from the use of UriComponentsBuilder, which processes externally-sourced URLs. When these URLs are subjected to validation checks on the host, the applications may inadvertently expose themselves to open redirect or server-side request forgery (SSRF) attacks if the validation mechanisms are configured improperly. This vulnerability resonates with similar issues found in CVE-2024-22259 and CVE-2024-22243, albeit with differing inputs. Proper security practices and updated validation techniques are recommended to mitigate these risks.

Affected Version(s)

Spring Framework 6.1.x

Spring Framework 6.1.x < 6.1.6

Spring Framework 6.0.x < 6.0.19

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-22262 : Spring UriComponentsBuilder Vulnerability: Open Redirect and SSRF Risks