Spring Security Advisories

All advisories

CVE-2024-22243: Spring Framework URL Parsing with Host Validation

HIGH | FEBRUARY 21, 2024 | CVE-2024-22243

Description

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.

Affected Spring Products and Versions

Spring Framework

  • 6.1.0 - 6.1.3
  • 6.0.0 - 6.0.16
  • 5.3.0 - 5.3.31
  • Older, unsupported versions are also affected

Mitigation

Upgrade Spring Framework as follows:

  • 6.1.x users should upgrade to 6.1.4
  • 6.0.x users should upgrade to 6.0.17
  • 5.3.x users should upgrade to 5.3.32

No other steps are necessary.

Credit

The issue was identified and responsibly reported by Sean Pesce from Motorola Solutions.

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all