CVE-2024-22259

🗓️ 16 Mar 2024 04:40:08Reported by vmwareType

cve🔗 web.nvd.nist.gov📰️ 15 Media mentions👁 435 Views🌐 WEB

Spring Framework UriComponentsBuilder vulnerability in URL parsing and validation

Reporter	Title	Published	Views	Family All 69
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 1.14.4 IF001	14 May 202420:42	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability with OpenJDK, commons-compress and spring-web-5.3.27/spring-web-5.3.32 affect IBM Cloud Object Storage Systems (April 2024v1)	1 Apr 202416:26	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Verify Governance - Identity Manager has multiple vulnerabilities	11 Jul 202407:21	–	ibm
IBM Security Bulletins	Security Bulletin: Due to the use of VMWare Tanzu Spring Framework, IBM DevOps Build is vulnerable to remote attacker to conduct phising attacks	3 Feb 202522:48	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Operational Decision Manager for May 2024 - Multiple CVEs addressed	14 Jun 202409:53	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities	6 Jun 202414:36	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Observability with Instana for Synthetic PoP is affected by Multiple Security Vulnerabilities	18 Apr 202413:43	–	ibm
IBM Security Bulletins	Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities	17 Jun 202420:14	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to phishing attacks in VMware Tanzu Spring Framework [CVE-2024-22259]	20 Jun 202418:17	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Automation Decision Services - April 2024 -Multiple CVEs addressed	9 May 202407:13	–	ibm

NVD

Node

vmware spring_frameworkRange<5.3.33

vmware spring_frameworkRange6.0.0–6.0.18

vmware spring_frameworkRange6.1.0–6.1.5

Node

netapp active_iq_unified_managerMatch-linux

netapp active_iq_unified_managerMatch-vmware_vsphere

netapp active_iq_unified_managerMatch-windows

[
  {
    "defaultStatus": "affected",
    "packageName": "Spring Framework",
    "product": "Spring Framework",
    "vendor": "Spring",
    "versions": [
      {
        "lessThan": "6.1.5",
        "status": "affected",
        "version": "6.1.x",
        "versionType": "git"
      },
      {
        "lessThan": "6.0.18",
        "status": "affected",
        "version": "6.0.x",
        "versionType": "git"
      },
      {
        "lessThan": "5.3.33",
        "status": "affected",
        "version": "5.3.x",
        "versionType": "git"
      }
    ]
  }
]

Source	Link
security	www.security.netapp.com/advisory/ntap-20240524-0002/
spring	www.spring.io/security/cve-2024-22259

Parameter	Position	Path	Description	CWE
url	path	redirect	Open redirect vulnerability demonstrated by UriComponentsBuilder parsing input from a query parameter to /redirect.	CWE-601
url	path	health-check	SSRF vulnerability demonstrated by URL parsing mismatch affecting /health-check when a user-supplied URL is involved.	CWE-601

10 Jun 2025 15:55Current

6Medium risk

Vulners AI Score6

CVSS 3.18.1

EPSS0.56395

SSVC

CWE-601