CVE-2024-22243
Open Redirect vulnerability in spring-web (Maven)
What is CVE-2024-22243 About?
This vulnerability affects applications using `UriComponentsBuilder` to parse and validate externally provided URLs. It can lead to an open redirect or Server-Side Request Forgery (SSRF) attack if the URL is used after validation checks are passed. Exploitation is possible when host validation is performed inappropriately.
Affected Software
- org.springframework:spring-web
- >6.1.0, <6.1.4
- >5.3.0, <5.3.32
- >6.0.0, <6.0.17
- <=5.2.25.RELEASE
Technical Details
The vulnerability occurs when an application uses UriComponentsBuilder in Spring Framework to parse URLs provided by external sources, such as query parameters. If the application then performs validation checks on the host component of the parsed URL, an attacker can craft a URL that appears legitimate during validation but, when subsequently used, resolves to a different, malicious destination. This bypasses the intended host validation, enabling redirection to arbitrary external sites (Open Redirect) or enabling the server to make requests to internal or other controlled services (SSRF).
What is the Impact of CVE-2024-22243?
Successful exploitation may allow attackers to redirect users to malicious websites, facilitating phishing attacks, or to induce the server to make unauthorized requests to internal network resources or external services, leading to data exposure or further network compromise.
What is the Exploitability of CVE-2024-22243?
Exploitation is of medium complexity, requiring an understanding of how UriComponentsBuilder processes URLs and how the application's host validation logic is implemented. No authentication or specific privileges are required, as the attack typically involves crafting a malicious URL as user input. This is a remote vulnerability, as the attacker sends the crafted URL to the target application. Special conditions include the application parsing external URLs with UriComponentsBuilder and subsequently using the parsed URL after potentially flawed host validation. Risk factors increasing likelihood include applications that frequently process and redirect based on user-supplied URLs or those that use URLs internally after validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| SeanPesce | Link | Example exploitable scenarios for CVE-2024-22243 affecting the Spring framework (open redirect & SSRF). |
| shellfeel | Link | env of CVE-2024-22243&CVE-2024-22234 |
| Reivap | Link | Code used from @SeanPesce |
What are the Available Fixes for CVE-2024-22243?
About the Fix from Resolved Security
This patch tightens the regular expression for parsing userinfo in URIs by removing "[" from the exclusion set, preventing userinfo fields from starting with "[". This change fixes CVE-2024-22243 by blocking crafted URLs that exploit this parsing ambiguity to inject credentials or bypass security mechanisms.
Available Upgrade Options
- org.springframework:spring-web
- >5.3.0, <5.3.32 → Upgrade to 5.3.32
- org.springframework:spring-web
- >6.0.0, <6.0.17 → Upgrade to 6.0.17
- org.springframework:spring-web
- >6.1.0, <6.1.4 → Upgrade to 6.1.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20240524-0001/
- https://spring.io/security/cve-2024-22243
- https://github.com/spring-projects/spring-framework
- http://seclists.org/fulldisclosure/2024/Sep/24
- https://spring.io/security/cve-2024-22243
- https://nvd.nist.gov/vuln/detail/CVE-2024-22243
- https://github.com/spring-projects/spring-framework/blob/main/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
- http://seclists.org/fulldisclosure/2024/Sep/24
- https://security.netapp.com/advisory/ntap-20240524-0001
- https://osv.dev/vulnerability/GHSA-ccgv-vj62-xf9h
What are Similar Vulnerabilities to CVE-2024-22243?
Similar Vulnerabilities: CVE-2024-22259 , CVE-2023-34035 , CVE-2022-22965 , CVE-2021-22097 , CVE-2020-5421
