Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreSpring Security Advisories
CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report)
Description
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243, but with different input.
Affected Spring Products and Versions
Spring Framework
- 6.1.0 - 6.1.4
- 6.0.0 - 6.0.17
- 5.3.0 - 5.3.32
- Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 6.1.x | 6.1.5 | OSS |
| 6.0.x | 6.0.18 | OSS |
| 5.3.x | 5.3.33 | OSS |
Credit
The issue was identified and responsibly reported by threedr3am from EcoFlow Intelligent terminal department.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all