CVE-2024-22262
Published: 16 April 2024
Summary
CVE-2024-22262 is a high-severity Open Redirect (CWE-601) vulnerability in Spring (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-22262 affects applications built with Spring Framework that use UriComponentsBuilder to parse externally supplied URLs, such as those received through query parameters, while also performing host-based validation checks on the resulting URI. The flaw stems from inconsistent parsing behavior that can allow specially crafted inputs to bypass those checks, exposing the application to open redirect or server-side request forgery outcomes when the validated URL is subsequently used. The issue is functionally equivalent to the earlier CVE-2024-22259 and CVE-2024-22243 disclosures but is triggered by different input patterns.
An unauthenticated remote attacker can supply a malicious URL via user-controlled input. If the application trusts the host validation performed on the parsed object, the attacker may cause an open redirect to an arbitrary destination or induce the server to issue requests to internal resources that would otherwise be blocked.
Spring has published an advisory at https://spring.io/security/cve-2024-22262 that details the affected versions and required updates; NetApp has issued a corresponding advisory (NTAP-20240524-0003) for its products that incorporate the vulnerable component.
The EPSS score reached a peak of 0.1520 after disclosure, indicating a measurable increase in observed exploitation interest relative to its initial low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1071
Vulnerability details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack…
more
if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates redirect targets and URLs to ensure they conform to allowed destinations.
Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Detects server-side request forgery through monitoring of unexpected outbound connections.