CVE-2024-22243
Published: 23 February 2024
Summary
CVE-2024-22243 is a high-severity Open Redirect (CWE-601) vulnerability in Spring (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Applications using Spring Framework's UriComponentsBuilder to parse externally supplied URLs, such as those received through query parameters, are vulnerable when they also perform host-based validation on the parsed result. The flaw, tracked as CVE-2024-22243, can allow the validation checks to be bypassed, exposing the application to open redirect or server-side request forgery outcomes if the resulting URL is subsequently used.
An unauthenticated remote attacker can supply a crafted URL that passes the intended host validation yet resolves to an attacker-controlled destination. Successful exploitation enables redirection of users to malicious sites or the use of the application server to issue requests against internal or external resources, corresponding to the observed CVSS 8.1 rating.
Spring has published guidance and patches addressing the issue at the referenced security advisory; organizations are advised to apply the updates or implement the recommended input-handling changes. The associated EPSS score has reached a peak of 0.6174 with a current value of 0.6012.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0615
Vulnerability details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack…
more
if the URL is used after passing validation checks.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.