CVE-2024-22259: 
Java vulnerability analysis and mitigation

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g., through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to an open redirect attack or to a Server-Side Request Forgery (SSRF) attack if the URL is used after passing validation checks. The vulnerability affects Spring Framework versions 6.1.0-6.1.4, 6.0.0-6.0.17, 5.3.0-5.3.32, and older unsupported versions (Spring Security).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges but does need user interaction, and can result in high impacts to both confidentiality and integrity (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information or addition/modification of data through open redirect attacks or SSRF attacks. The vulnerability affects applications that implement URL validation checks using the UriComponentsBuilder component (NetApp Security).

Users of affected versions should upgrade to the corresponding fixed versions: Spring Framework 6.1.5 for 6.1.x users, 6.0.18 for 6.0.x users, and 5.3.33 for 5.3.x users. These fixes are available as open-source software (OSS) releases (Spring Security).