CVE-2024-22259 - Open Redirect / Server-side Request Forgery (SSRF)

Severity: None2024-09-10

Security Advisories

Abstract

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

The Oxygen products incorporate Spring Framework as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback v4.1 and olderNone Oxygen Feedback 5.0 build 2024090417

Mitigation

None

Detail

CVE-2024-22259

Severity: High

CVSS Score: 8.1

The Spring Framework third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-22259 vulnerability description. However, Oxygen Feedback does not use URIComponentsBuilder to parse externally provided URL. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Feedback v5.0 build 2024090417, the Spring Framework was updated to a version which fixes this vulnerability.

List of Security Advisories

Video Tutorials
Upcoming Events
conference
Declarative Amsterdam 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor