VDB
DEBIAN-CVE-2024-22243
DEBIAN-CVE-2024-22243
PUBLISHED
CVSS 8.100000381469727 HIGH
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Risk Scores
CVSS 3.1
8.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | libspring-java | 0, 4.3.30-1, 4.3.30-3 |
| Debian:13 | libspring-java | 4.3.30-4, 0, 4.3.30-3 |
| Debian:12 | libspring-java | 4.3.30-3, 4.3.30-4, 4.3.30-2 |
| Debian:14 | libspring-java | 4.3.30-3, 0, 4.3.30-4 |
Exploit Intelligence
- Code used from @SeanPesce (github-poc-repo)
- Code used from @SeanPesce (github-poc)
- env of CVE-2024-22243&CVE-2024-22234 (github-poc)
- Example exploitable scenarios for CVE-2024-22243 affecting the Spring framework (open redirect & SSRF). (github-poc)
- OpenApiDocs.java (github-poc)
- OAuthController.java (github-poc)
- dependency-check-suppress.xml (github-poc)
- test_ghsa_completeness.py (github-poc)
Timeline
- Feb 23, 2024 CVE Published
- Apr 28, 2026 CVE Updated