PT-2024-2941 · Unknown+2 · Spring Framework+4
L0Ne1Y
·
Published
2024-04-11
·
Updated
2025-02-20
·
CVE-2024-22262
CVSS v2.0
9.4
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Spring Framework versions prior to 5.3.34
Spring Framework versions prior to 6.0.19
Spring Framework versions prior to 6.1.6
Description
The issue exists due to insufficient validation of user-input data in the UriComponentsBuilder component of the Spring Framework. This can allow a remote attacker to perform a Server-Side Request Forgery (SSRF) attack. Applications that use UriComponentsBuilder to parse externally provided URLs and perform validation checks on the host are affected.
Recommendations
For Spring Framework versions prior to 5.3.34, update to version 5.3.34 or later.
For Spring Framework versions prior to 6.0.19, update to version 6.0.19 or later.
For Spring Framework versions prior to 6.1.6, update to version 6.1.6 or later.
Fix
SSRF
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Bamboo
Bitbucket
Confluence
Debian
Spring Framework