CVE-2024-22262

Published: Apr 16, 2024Modified: Feb 13, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: security@vmware.com (Secondary)

Description

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Related CWEs

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://security.netapp.com/advisory/ntap-20240524-0003/

Source: security@vmware.com

https://spring.io/security/cve-2024-22262

Source: security@vmware.com

https://security.netapp.com/advisory/ntap-20240524-0003/

Source: af854a3a-2127-422b-91ae-364da2661108

https://spring.io/security/cve-2024-22262

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.