CVE-2024-22243: Spring Framework Flaw Opens Doors to Redirects and SSRF Attacks

The Spring Framework, a cornerstone of countless enterprise Java applications, recently revealed a significant vulnerability (CVE-2024-22243). This high-severity flaw could enable attackers to exploit applications that process external URLs, potentially leading to open redirect attacks or the more dangerous Server-Side Request Forgery (SSRF).


The Core Issue: Unchecked Trust

The problem stems from applications using Spring’s UriComponentsBuilder to parse URLs from outside sources (e.g. through a query parameter). If these applications then validate the host of the parsed URL, they may be unwittingly opening themselves to attack. This happens because a malicious actor could craft a URL that passes the validation but later redirects or triggers requests to unexpected systems.

Attack Scenarios

CVE-2024-22243 manifests in two primary forms of attack:

  1. Phishing (Open Redirect): An attacker could send a user a seemingly legitimate link to your application. This disguised link, when clicked, might pass URL validation but then redirect the unsuspecting user to a malicious website, designed to harvest credentials or spread malware.

  2. SSRF: Internal Network Probing: In a Server-Side Request Forgery attack, an attacker could force your application to send requests to systems within your internal network. This could be used to map your infrastructure, potentially finding even more vulnerable targets for further exploitation.

Who’s at Risk?

You’re likely affected if your Spring application:

  • Uses UriComponentsBuilder to handle any URL from an external source.
  • Validates URLs from these sources based on the hostname.
  • Uses those validated URLs in subsequent steps.
  • Is running Spring Framework versions 6.1.0 – 6.1.3, 6.0.0 – 6.0.16, 5.3.0 – 5.3.31, or older unsupported versions.

Patch Now!

The good news is that the Spring team has swiftly released patches. Immediate action is vital:

  • Upgrade:
    • 6.1.x users: Update to 6.1.4
    • 6.0.x users: Update to 6.0.17
    • 5.3.x users: Update to 5.3.32