[
https://issues.apache.org/jira/browse/CXF-9016?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andriy Redko updated CXF-9016:
------------------------------
Fix Version/s: 3.5.9
4.1.0
4.0.5
3.6.4
> Upgrade Spring-Framework to 5.3.34 in Apache-cxf
> ------------------------------------------------
>
> Key: CXF-9016
> URL: https://issues.apache.org/jira/browse/CXF-9016
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.3
> Reporter: Nikhil
> Priority: Major
> Fix For: 3.5.9, 4.1.0, 4.0.5, 3.6.4
>
>
> We have a high severity security issue with spring-framework ::
> h2. Affected Spring Products and Versions
> Spring Framework
> * 6.1.0 - 6.1.5
> * 6.0.0 - 6.0.18
> * 5.3.0 - 5.3.33
> * Older, unsupported versions are also affected
>
> {*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework
> to parse an externally provided URL (e.g. through a query parameter) AND
> perform validation checks on the host of the parsed URL may be vulnerable to
> a open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or
> to a SSRF attack if the URL is used after passing validation checks.
> This is the same as CVE-2024-22243
> [https://spring.io/security/cve-2024-22243] , but with different input.
>
> *Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but
> with different input.
> –
> All these issues were fixed in Spring-Framework *5.3.34*
>
> *Could you please review and update Spring-Framework as needed in CXF package
> ?*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
