CVE-2024-22262 - Open Redirect / Server-side Request Forgery (SSRF)

Severity: None2024-09-10

Security Advisories

Abstract

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

The Oxygen products incorporate Spring Framework as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback v4.1 and olderNone Oxygen Feedback 5.0 build 2024090417

Mitigation

None

Detail

CVE-2024-22262

Severity: High

CVSS Score: 8.1

The Spring Framework third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2024-22262 vulnerability description. However, Oxygen Feedback does not use URIComponentsBuilder to parse externally provided URL. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Feedback v5.0 build 2024090417, the Spring Framework was updated to a version which fixes this vulnerability.

List of Security Advisories