GHSA-2wrp-6fg6-hmc5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2wrp-6fg6-hmc5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-2wrp-6fg6-hmc5/GHSA-2wrp-6fg6-hmc5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2wrp-6fg6-hmc5
- Aliases
- Published
- 2024-04-16T06:30:28Z
- Modified
- 2024-08-27T18:47:38.791993Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Spring Framework URL Parsing with Host Validation
- Details
-
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
- Database specific
{ "nvd_published_at": "2024-04-16T06:15:46Z", "cwe_ids": [ "CWE-601" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-04-16T16:15:13Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-22262
- https://github.com/spring-projects/spring-framework
- https://github.com/spring-projects/spring-framework/blob/main/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
- https://security.netapp.com/advisory/ntap-20240524-0003
- https://spring.io/security/cve-2024-22262
Affected packages
Maven / org.springframework:spring-web
Package
- Name
- org.springframework:spring-web
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework/spring-web
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.3.34
Affected versions
1.*
1.0-rc1
1.0
1.0.1
1.1-rc1
1.1-rc2
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2-rc1
1.2-rc2
1.2
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
2.*
2.0-m1
2.0-m2
2.0-m3
2.0-m4
2.0-m5
2.0-rc1
2.0-rc2
2.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.5
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.6.SEC01
2.5.6.SEC02
2.5.6.SEC03
3.*
3.0.0.RELEASE
3.0.1.RELEASE
3.0.2.RELEASE
3.0.3.RELEASE
3.0.4.RELEASE
3.0.5.RELEASE
3.0.6.RELEASE
3.0.7.RELEASE
3.1.0.RELEASE
3.1.1.RELEASE
3.1.2.RELEASE
3.1.3.RELEASE
3.1.4.RELEASE
3.2.0.RELEASE
3.2.1.RELEASE
3.2.2.RELEASE
3.2.3.RELEASE
3.2.4.RELEASE
3.2.5.RELEASE
3.2.6.RELEASE
3.2.7.RELEASE
3.2.8.RELEASE
3.2.9.RELEASE
3.2.10.RELEASE
3.2.11.RELEASE
3.2.12.RELEASE
3.2.13.RELEASE
3.2.14.RELEASE
3.2.15.RELEASE
3.2.16.RELEASE
3.2.17.RELEASE
3.2.18.RELEASE
4.*
4.0.0.RELEASE
4.0.1.RELEASE
4.0.2.RELEASE
4.0.3.RELEASE
4.0.4.RELEASE
4.0.5.RELEASE
4.0.6.RELEASE
4.0.7.RELEASE
4.0.8.RELEASE
4.0.9.RELEASE
4.1.0.RELEASE
4.1.1.RELEASE
4.1.2.RELEASE
4.1.3.RELEASE
4.1.4.RELEASE
4.1.5.RELEASE
4.1.6.RELEASE
4.1.7.RELEASE
4.1.8.RELEASE
4.1.9.RELEASE
4.2.0.RELEASE
4.2.1.RELEASE
4.2.2.RELEASE
4.2.3.RELEASE
4.2.4.RELEASE
4.2.5.RELEASE
4.2.6.RELEASE
4.2.7.RELEASE
4.2.8.RELEASE
4.2.9.RELEASE
4.3.0.RELEASE
4.3.1.RELEASE
4.3.2.RELEASE
4.3.3.RELEASE
4.3.4.RELEASE
4.3.5.RELEASE
4.3.6.RELEASE
4.3.7.RELEASE
4.3.8.RELEASE
4.3.9.RELEASE
4.3.10.RELEASE
4.3.11.RELEASE
4.3.12.RELEASE
4.3.13.RELEASE
4.3.14.RELEASE
4.3.15.RELEASE
4.3.16.RELEASE
4.3.17.RELEASE
4.3.18.RELEASE
4.3.19.RELEASE
4.3.20.RELEASE
4.3.21.RELEASE
4.3.22.RELEASE
4.3.23.RELEASE
4.3.24.RELEASE
4.3.25.RELEASE
4.3.26.RELEASE
4.3.27.RELEASE
4.3.28.RELEASE
4.3.29.RELEASE
4.3.30.RELEASE
5.*
5.0.0.RELEASE
5.0.1.RELEASE
5.0.2.RELEASE
5.0.3.RELEASE
5.0.4.RELEASE
5.0.5.RELEASE
5.0.6.RELEASE
5.0.7.RELEASE
5.0.8.RELEASE
5.0.9.RELEASE
5.0.10.RELEASE
5.0.11.RELEASE
5.0.12.RELEASE
5.0.13.RELEASE
5.0.14.RELEASE
5.0.15.RELEASE
5.0.16.RELEASE
5.0.17.RELEASE
5.0.18.RELEASE
5.0.19.RELEASE
5.0.20.RELEASE
5.1.0.RELEASE
5.1.1.RELEASE
5.1.2.RELEASE
5.1.3.RELEASE
5.1.4.RELEASE
5.1.5.RELEASE
5.1.6.RELEASE
5.1.7.RELEASE
5.1.8.RELEASE
5.1.9.RELEASE
5.1.10.RELEASE
5.1.11.RELEASE
5.1.12.RELEASE
5.1.13.RELEASE
5.1.14.RELEASE
5.1.15.RELEASE
5.1.16.RELEASE
5.1.17.RELEASE
5.1.18.RELEASE
5.1.19.RELEASE
5.1.20.RELEASE
5.2.0.RELEASE
5.2.1.RELEASE
5.2.2.RELEASE
5.2.3.RELEASE
5.2.4.RELEASE
5.2.5.RELEASE
5.2.6.RELEASE
5.2.7.RELEASE
5.2.8.RELEASE
5.2.9.RELEASE
5.2.10.RELEASE
5.2.11.RELEASE
5.2.12.RELEASE
5.2.13.RELEASE
5.2.14.RELEASE
5.2.15.RELEASE
5.2.16.RELEASE
5.2.17.RELEASE
5.2.18.RELEASE
5.2.19.RELEASE
5.2.20.RELEASE
5.2.21.RELEASE
5.2.22.RELEASE
5.2.23.RELEASE
5.2.24.RELEASE
5.2.25.RELEASE
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.13
5.3.14
5.3.15
5.3.16
5.3.17
5.3.18
5.3.19
5.3.20
5.3.21
5.3.22
5.3.23
5.3.24
5.3.25
5.3.26
5.3.27
5.3.28
5.3.29
5.3.30
5.3.31
5.3.32
5.3.33
Maven / org.springframework:spring-web
Package
- Name
- org.springframework:spring-web
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework/spring-web
Maven / org.springframework:spring-web
Package
- Name
- org.springframework:spring-web
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework/spring-web