CVE: 2024-22259 found in Spring Web - Version: 4.3.10.RELEASE [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Spring Web
Description	Spring Web
Language	JAVA
Vulnerability	Server Side Request Forgery (SSRF)
Vulnerability description	org.springframework:spring-web is vulnerable to Open Redirect. The vulnerability is due to insufficient validation checks of the host URL within UriComponentsBuilder.java. If an application utilizes the host validation checks, an attacker can perform an open redirect or Server-Side Request Forgery (SSRF) attack. Note that this vulnerability is the same as CVE-2024-22243 but with different input.
CVE	2024-22259
CVSS score	7.8
Vulnerability present in version/s	3.1.0.RC1-5.3.32
Found library version/s	4.3.10.RELEASE
Vulnerability fixed in version	5.3.33
Library latest version	6.2.0-RC1
Fix	Please update to 5.3.33

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1104?version=4.3.10.RELEASE
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/45940
• Patch: https://github.com/spring-projects/spring-framework/commit/297cbae2990e1413537c55845a7e0ea0ffd9f9bb