CVE-2024-22243

HIGH

UriComponentsBuilder - Open Redirect

Title source: llm

Description

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.

Exploits (3)

nomisec WORKING POC 9 stars

by SeanPesce · poc

https://github.com/SeanPesce/CVE-2024-22243

View Code ZIP pw:eip

nomisec WORKING POC 5 stars

by shellfeel · poc

https://github.com/shellfeel/CVE-2024-22243-CVE-2024-22234

View Code ZIP pw:eip

nomisec STUB

by Reivap · poc

https://github.com/Reivap/CVE-2024-22243

View Code ZIP pw:eip

References (3)

[Vendor Advisory] https://spring.io/security/cve-2024-22243

[Mailing List] http://seclists.org/fulldisclosure/2024/Sep/24

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240524-0001/

Scores

CVSS v3 8.1

EPSS 0.5959

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Details

CWE

CWE-601

Status published

Products (4)

org.springframework/spring-web 6.1.0 - 6.1.4Maven

Spring/Spring Framework 5.3.x - 5.3.32

Spring/Spring Framework 6.0.x - 6.0.17

Spring/Spring Framework 6.1.x - 6.1.4

Published Feb 23, 2024

Tracked Since Feb 18, 2026