CVE-2024-22243: 
Java vulnerability analysis and mitigation

CVE-2024-22243 is a vulnerability in Spring Framework that affects versions 6.1.0-6.1.3, 6.0.0-6.0.16, 5.3.0-5.3.31, and older unsupported versions. The vulnerability was discovered on February 21, 2024, and was responsibly reported by Sean Pesce from Motorola Solutions (Spring Security).

The vulnerability occurs in applications that use UriComponentsBuilder to parse externally provided URLs (e.g., through query parameters) and perform validation checks on the host of the parsed URL. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (Spring Security).

When successfully exploited, this vulnerability could lead to open redirect attacks or Server-Side Request Forgery (SSRF) attacks if the URL is used after passing validation checks. This could potentially result in disclosure of sensitive information or addition/modification of data (NetApp Security).

Users are advised to upgrade to the following fixed versions: Spring Framework 6.1.x users should upgrade to 6.1.4, 6.0.x users should upgrade to 6.0.17, and 5.3.x users should upgrade to 5.3.32. No other steps are necessary for mitigation (Spring Security).