CVE-2024-22243

CWE-601 — Open Redirect15 documents8 sources

Severity

8.1HIGH

EPSS

61.7%

top 1.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Spring Framework

Timeline

PublishedFeb 23

Latest updateApr 15

Description

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5spring/spring_framework6.0.x — 6.0.17+5

▶Mavenorg.springframework:spring-web6.1.0 — 6.1.4+3

🔴Vulnerability Details

GHSA

Spring Framework URL Parsing with Host Validation↗2024-04-16

▶

GHSA

Spring Framework URL Parsing with Host Validation Vulnerability↗2024-03-16

▶

CVEList

CVE-2024-22243: Spring Framework URL Parsing with Host Validation↗2024-02-23

▶

GHSA

Spring Web vulnerable to Open Redirect or Server Side Request Forgery↗2024-02-23

▶

OSV

CVE-2024-22243: Applications that use UriComponentsBuilder to parse an externally provided URL (e↗2024-02-23

▶

📋Vendor Advisories

Oracle

Oracle Oracle Retail Applications Risk Matrix: Point of Sale (Spring Framework) — CVE-2024-22243↗2025-04-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Spring Framework) — CVE-2024-22243↗2024-07-15

▶

Red Hat

springframework: URL Parsing with Host Validation↗2024-04-16

▶

Oracle

Oracle Oracle Construction and Engineering Risk Matrix: Document Management (Spring Framework) — CVE-2024-22243↗2024-04-15

▶

Red Hat

springframework: URL Parsing with Host Validation↗2024-03-16

▶