View all vulnerabilities

CVE-2024-22243

Spring Web vulnerable to Open Redirect or Server Side Request Forgery

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
8
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Affected Versions
org.springframework:spring-web >= 6.1.0 < 6.1.4; org.springframework:spring-web >= 6.0.0 < 6.0.17; org.springframework:spring-web >= 5.3.0 < 5.3.32
Severity
High
Ecosystem
Publish Date
February 23, 2024
Modified Date
February 13, 2025