The vulnerability CVE-2024-22262 concerns URL parsing in Spring Framework's 'UriComponentsBuilder', leading to potential host validation bypass. The description indicates it's similar to CVE-2024-22259 and CVE-2024-22243. Since the 'get_commit_infos' tool failed to retrieve commit details, I analyzed the commits associated with CVE-2024-22259 (e.g., f2fd2f1, 381f790, 297cbae) by manual inspection on GitHub. These commits show modifications in the private static method 'parseUriString' within 'UriComponentsBuilder.java'. The changes address how userinfo is handled (using 'lastIndexOf("@")'), how special characters in userinfo are validated, and how opaque URIs are parsed. The public method 'fromUriString' is the entry point that uses 'parseUriString'. Therefore, 'fromUriString' processes the malicious input, and 'parseUriString' contained the vulnerable logic that was patched.
Miggo AI