CVE-2024-22243 - Open Redirect / Server-side Request Forgery (SSRF)
Severity: High2024-09-10
Abstract
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
The Oxygen products incorporate Spring Framework as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Feedback v4.1 and older | None | Oxygen Feedback 5.0 build 2024090417 |
Oxygen Content Fusion v7.0 and older | None | N/A |
Detail
CVE-2024-22243
Severity: High
CVSS Score: 8.1
The Spring Framework third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-22243 vulnerability description. However, Oxygen products do not use URIComponentsBuilder to parse externally provided URL. For that reason Oxygen products are not affected by this vulnerability.
Starting with Oxygen Feedback v5.0 build 2024090417, the Spring Framework was updated to a version which fixes this vulnerability.