Nikhil created CXF-9016:
---------------------------
Summary: Upgrade Spring-Framework to 5.3.34 in Apache-cxf
Key: CXF-9016
URL: https://issues.apache.org/jira/browse/CXF-9016
Project: CXF
Issue Type: Improvement
Affects Versions: 3.6.3, 3.5.8, 3.5.7, 3.5.6, 3.5.5
Reporter: Nikhil
We have a high severity security issue with spring-framework which is affected
the below spring-framework versions ::
{*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework
to parse an externally provided URL (e.g. through a query parameter) AND
perform validation checks on the host of the parsed URL may be vulnerable to a
open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or to a
SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 [https://spring.io/security/cve-2024-22243]
, but with different input.
*Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but with
different input.
--
All these issues were fixed in Spring-Framework *5.3.34*
Could you please review and update Spring-Framework as needed in CXF package ?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
