CVE-2024-22259

Published: Mar 16, 2024Modified: Jun 10, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: security@vmware.com (Secondary)

Description

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Affected (6)

Products: Vmware: Spring Framework · Netapp: Active Iq Unified Manager

1 product

Spring Framework

1 product

Active Iq Unified Manager

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Vmware Spring Framework	Before 5.3.33
Vmware Spring Framework	From 6.0.0 to 6.0.18
Vmware Spring Framework	From 6.1.0 to 6.1.5

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Netapp Active Iq Unified Manager	All versions
Netapp Active Iq Unified Manager	All versions
Netapp Active Iq Unified Manager	All versions

Related CWEs

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References (4)

https://security.netapp.com/advisory/ntap-20240524-0002/

Source: security@vmware.com

Third Party Advisory

https://spring.io/security/cve-2024-22259

Source: security@vmware.com

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240524-0002/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://spring.io/security/cve-2024-22259

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.