[
https://issues.apache.org/jira/browse/CXF-9016?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nikhil updated CXF-9016:
------------------------
Description:
We have a high severity security issue with spring-framework ::
h2. Affected Spring Products and Versions
Spring Framework
* 6.1.0 - 6.1.5
* 6.0.0 - 6.0.18
* 5.3.0 - 5.3.33
* Older, unsupported versions are also affected
{*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework
to parse an externally provided URL (e.g. through a query parameter) AND
perform validation checks on the host of the parsed URL may be vulnerable to a
open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or to a
SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 [https://spring.io/security/cve-2024-22243]
, but with different input.
*Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but with
different input.
–
All these issues were fixed in Spring-Framework *5.3.34*
*Could you please review and update Spring-Framework as needed in CXF package ?*
was:
We have a high severity security issue with spring-framework which is affected
the below spring-framework versions ::
{*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework
to parse an externally provided URL (e.g. through a query parameter) AND
perform validation checks on the host of the parsed URL may be vulnerable to a
open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or to a
SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 [https://spring.io/security/cve-2024-22243]
, but with different input.
*Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but with
different input.
--
All these issues were fixed in Spring-Framework *5.3.34*
Could you please review and update Spring-Framework as needed in CXF package ?
> Upgrade Spring-Framework to 5.3.34 in Apache-cxf
> ------------------------------------------------
>
> Key: CXF-9016
> URL: https://issues.apache.org/jira/browse/CXF-9016
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.3
> Reporter: Nikhil
> Priority: Major
>
> We have a high severity security issue with spring-framework ::
> h2. Affected Spring Products and Versions
> Spring Framework
> * 6.1.0 - 6.1.5
> * 6.0.0 - 6.0.18
> * 5.3.0 - 5.3.33
> * Older, unsupported versions are also affected
>
> {*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework
> to parse an externally provided URL (e.g. through a query parameter) AND
> perform validation checks on the host of the parsed URL may be vulnerable to
> a open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or
> to a SSRF attack if the URL is used after passing validation checks.
> This is the same as CVE-2024-22243
> [https://spring.io/security/cve-2024-22243] , but with different input.
>
> *Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but
> with different input.
> –
> All these issues were fixed in Spring-Framework *5.3.34*
>
> *Could you please review and update Spring-Framework as needed in CXF package
> ?*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
