Spring UriComponentsBuilder Vulnerability: Open Redirect and SSRF Risks
CVE-2024-22262
8.1HIGH
What is CVE-2024-22262?
VMware’s Spring Framework is susceptible to vulnerabilities arising from the use of UriComponentsBuilder, which processes externally-sourced URLs. When these URLs are subjected to validation checks on the host, the applications may inadvertently expose themselves to open redirect or server-side request forgery (SSRF) attacks if the validation mechanisms are configured improperly. This vulnerability resonates with similar issues found in CVE-2024-22259 and CVE-2024-22243, albeit with differing inputs. Proper security practices and updated validation techniques are recommended to mitigate these risks.
Affected Version(s)
Spring Framework 6.1.x
Spring Framework 6.1.x < 6.1.6
Spring Framework 6.0.x < 6.0.19
References
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved