[LAMA-138] CVE-2024-22262: Spring Framework URL Parsing with Host Validation - QueueMetrix Software

XML

Word

Printable

Details

Type: Bug
Status: Done
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 1.0.7.9
Component/s: Agent
Labels:
None

Acceptance Criteria:
Upgraded to Spring 6.1.14

Description

CVE-2024-22262: Spring Framework URL Parsing with Host Validation (3rd report)
HIGH | APRIL 11, 2024 | CVE-2024-22262

Affects version 6.0.19
https://spring.io/security/cve-2024-22262

Description
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect<https://cwe.mitre.org/data/definitions/601.html> attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259<https://spring.io/security/cve-2024-22259> and CVE-2024-22243<https://spring.io/security/cve-2024-22243>, but with different input.

Affected Spring Products and Versions
Spring Framework

6.1.0 - 6.1.5
6.0.0 - 6.0.18
5.3.0 - 5.3.33
Older, unsupported versions are also affected

Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)
Fix version
Availability
6.1.x
6.1.6
OSS
6.0.x
6.0.19
OSS
5.3.x
5.3.34
OSS

Attachments

Activity

People

Assignee:

Matthew Batterham

Reporter:

Matthew Batterham

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Due:

13/Dec/24

Created:

08/Mar/25 4:18 PM

Updated:

08/Mar/25 4:57 PM

Resolved:

08/Mar/25 4:54 PM