CVE-2024-22259
Published: 16 March 2024
Summary
CVE-2024-22259 is a high-severity Open Redirect (CWE-601) vulnerability in Vmware Spring Framework. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-22259 affects the UriComponentsBuilder component in Spring Framework. Applications that accept an externally supplied URL, such as via a query parameter, parse it with UriComponentsBuilder, and then perform host-based validation checks on the result can be tricked into treating a malicious URL as valid. The issue is functionally equivalent to CVE-2024-22243 but is triggered by different input patterns, and carries a CVSS 3.1 score of 8.1.
An unauthenticated remote attacker can supply a crafted URL that bypasses the host validation logic. Successful exploitation may result in an open redirect that sends users to an attacker-controlled site or, when the parsed URL is subsequently used for outbound requests, a server-side request forgery that reaches internal resources.
Spring has published mitigation guidance at https://spring.io/security/cve-2024-22259, and NetApp has issued a corresponding advisory at https://security.netapp.com/advisory/ntap-20240524-0002/. The associated EPSS score has remained near 0.56 with only minimal movement between its recorded peak and current values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0937
Vulnerability details
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to…
more
a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.