What is CVE-2024-22259?

CVE-2024-22259 is a high-severity vulnerability in the Spring Framework's UriComponentsBuilder, which can lead to open redirect or Server-Side Request Forgery (SSRF) attacks. It affects systems using certain versions of the Spring Framework for URL parsing and validation.

Who is impacted by CVE-2024-22259?

This vulnerability affects applications using UriComponentsBuilder in Spring Framework versions 6.1.0-6.1.4, 6.0.0-6.0.17, 5.3.0-5.3.32, and older unsupported versions.

What to do if CVE-2024-22259 affected you

If you're affected by the CVE-2024-22259 vulnerability, it's crucial to update your Spring Framework to a fixed version. Here's a step-by-step guide:

1. Identify your current Spring Framework version.

2. Check if it's one of the affected versions: 6.1.0-6.1.4, 6.0.0-6.0.17, 5.3.0-5.3.32, or older unsupported versions.

3. If affected, upgrade to the corresponding fixed version:

   • 6.1.x: Upgrade to 6.1.5

   • 6.0.x: Upgrade to 6.0.18

   • 5.3.x: Upgrade to 5.3.33

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2024-22259 vulnerability, also known as Spring Framework URL Parsing with Host Validation (2nd report), is not listed in CISA's Known Exploited Vulnerabilities Catalog. It was added to the National Vulnerability Database on March 16, 2024. There is no specific due date or required action mentioned, but users of affected Spring Framework versions should upgrade to the corresponding fixed version to mitigate the vulnerability.

Weakness Enumeration

The weakness enumeration for this vulnerability is "Insufficient Information", indicating a lack of specific details about the vulnerability and its mitigation.

Learn More

To better understand the vulnerability's description, severity, technical details, and known affected software configurations, refer to the NVD page or the sources listed below.

• CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report)

• CVE Record | CVE