-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.springframework:spring-web | maven | >= 6.1.0, < 6.1.5 | 6.1.5 |
| org.springframework:spring-web | maven | >= 6.0.0, < 6.0.18 | 6.0.18 |
| org.springframework:spring-web | maven | < 5.3.33 | 5.3.33 |
JavaJavaMiggo AIRoot Cause AnalysisThe vulnerability (CVE-2024-22259) lies in how UriComponentsBuilder parses externally provided URLs. Specifically, the regular expressions USERINFO_PATTERN and HOST_IPV4_PATTERN used for dissecting URL components were overly permissive, and certain validation checks (e.g., for malformed IPv6 hosts) were missing. This could lead to the UriComponentsBuilder misinterpreting the host of a specially crafted URL. If an application then uses the parsed host for validation, that validation could be bypassed, leading to open redirect or SSRF vulnerabilities. The three public static factory methods fromUriString, fromHttpUrl, and fromOriginHeader are the entry points in UriComponentsBuilder that perform this URL parsing. The provided patches (e.g., commit 297cbae2990e1413537c55845a7e0ea0ffd9f9bb) modify these methods by: 1. Correcting the definitions of USERINFO_PATTERN and HOST_IPV4_PATTERN. 2. Introducing a new private static method checkSchemeAndHost that centralizes and adds new validation logic (like checking for incomplete IPv6 host brackets). 3. Calling checkSchemeAndHost from within fromUriString, fromHttpUrl, and fromOriginHeader. Therefore, these three methods, in their pre-patch state, are the vulnerable functions as they contained the flawed parsing logic that could be exploited.
Ongoing coverage of React2Shell