Nikhil created CXF-9016: --------------------------- Summary: Upgrade Spring-Framework to 5.3.34 in Apache-cxf Key: CXF-9016 URL: https://issues.apache.org/jira/browse/CXF-9016 Project: CXF Issue Type: Improvement Affects Versions: 3.6.3, 3.5.8, 3.5.7, 3.5.6, 3.5.5 Reporter: Nikhil
We have a high severity security issue with spring-framework which is affected the below spring-framework versions :: {*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 [https://spring.io/security/cve-2024-22243] , but with different input. *Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but with different input. -- All these issues were fixed in Spring-Framework *5.3.34* Could you please review and update Spring-Framework as needed in CXF package ? -- This message was sent by Atlassian Jira (v8.20.10#820010)