Unknown · Spring Framework · CVE-2024-22243
**Name of the Vulnerable Software and Affected Versions**
Spring Framework versions prior to the fixed version
**Description**
The issue arises from insufficient validation of user-input data in the Spring Framework, potentially allowing an attacker to perform a Server-Side Request Forgery (SSRF) attack or an open redirect attack. This can occur when applications use UriComponentsBuilder to parse externally provided URLs and then perform validation checks on the host of the parsed URL. If the URL is used after passing these validation checks, it may be vulnerable to such attacks. The vulnerability can be exploited by including a left square bracket symbol in the user info segment of a URL, which can lead to the UriComponentsBuilder returning a host name that differs from the interpretation of major browsers, thus potentially bypassing whitelist restrictions and accessing closed resources.
**Recommendations**
To resolve the issue, upgrade to the latest version of the Spring Framework. If upgrading is not possible, apply the recommended fixed versions for your specific version of the framework. As a temporary workaround, consider disabling the use of UriComponentsBuilder for parsing externally provided URLs until a patch is available. Restrict access to sensitive resources and validate all user-input data to minimize the risk of exploitation.