Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-9016

Upgrade Spring-Framework to 5.3.34 in Apache-cxf

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Information Provided
    • 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.3
    • 3.5.9, 4.1.0, 4.0.5, 3.6.4
    • None
    • None
    • Unknown

    Description

      We have a high severity security issue with spring-framework ::

      Affected Spring Products and Versions

      Spring Framework

      • 6.1.0 - 6.1.5
      • 6.0.0 - 6.0.18
      • 5.3.0 - 5.3.33
      • Older, unsupported versions are also affected
         

      Summary: Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

      This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

       

      Note: This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.

      All these issues were fixed in Spring-Framework 5.3.34

       

      Could you please review and update Spring-Framework as needed in CXF package ?

      Attachments

        Activity

          People

            Unassigned Unassigned
            somasaninikhil Nikhil
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: