CVE-2024-22259

Name of the Vulnerable Software and Affected Versions Spring Framework versions prior to 6.1.5 Spring Framework versions prior to 6.0.18 Spring Framework versions prior to 5.3.33

Description The issue exists due to insufficient validation of user-input data in the UriComponentsBuilder component of the Spring Framework. This can allow a remote attacker to perform a Server-Side Request Forgery (SSRF) attack. The vulnerability poses risks to systems, potentially exposing them to open redirect and SSRF attacks. Approximately 1,139,824 results are mainly distributed in China, the United States, and other countries.

Recommendations For Spring Framework versions prior to 6.1.5, update to version 6.1.5 or later. For Spring Framework versions prior to 6.0.18, update to version 6.0.18 or later. For Spring Framework versions prior to 5.3.33, update to version 5.3.33 or later. As a temporary workaround, consider restricting the use of the UriComponentsBuilder component until a patch is applied. Avoid using the host variable in the affected API endpoint until the issue is resolved.