Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2024-22243: Spring Framework URL Parsing with Host Validation
Description
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.
Affected Spring Products and Versions
Spring Framework
- 6.1.0 - 6.1.3
- 6.0.0 - 6.0.16
- 5.3.0 - 5.3.31
- Older, unsupported versions are also affected
Mitigation
Upgrade Spring Framework as follows:
- 6.1.x users should upgrade to 6.1.4
- 6.0.x users should upgrade to 6.0.17
- 5.3.x users should upgrade to 5.3.32
No other steps are necessary.
Credit
The issue was identified and responsibly reported by Sean Pesce from Motorola Solutions.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all