Overview
Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.
This vulnerability (CVE-20240-22259) is in spring-web when the UriComponentsBuilder class is used to parse externally provided URLs. The vulnerability arises when these URLs are validated against their host before being used. If improperly validated, the application becomes susceptible to Open Redirect Attacks and Server-Side Request Forgery (SSRF) attacks.
According to the Common Weakness Enumeration (CWE), an open redirect vulnerability occurs when a redirect sends users to a malicious site, potentially leading to credential theft or phishing. Combined with Cross-Site Scripting (XSS), it can also compromise systems. Similarly, Server-Side Request Forgery (SSRF) attacks occur when a server processes a URL without verifying its destination, allowing attackers to bypass access controls, scan internal networks, or access sensitive documents.
This issue affects multiple versions of Spring Framework.
Details
Module Info
- Product: Spring Framework
- Affected packages: spring-web
- Affected versions: <=4.3.31, >=5.3.0 <5.3.33, >=6.0.0 <6.0.17, >=6.1.0 <6.1.5
- GitHub repository:
https://github.com/spring-projects/spring-framework/tree/main/spring-web
- Published package: https://mvnrepository.com/artifact/org.springframework/spring-web
- Package manager: Maven
- Fixed in: NES for Spring Framework v4.3.32 and v5.3.44
Vulnerability Info
This high-severity vulnerability is found in the spring-web.jar module of the Spring Framework. It has a low attack complexity, requires no privileges to exploit, but does require user interaction, such as clicking a crafted URL.
When the UriComponentsBuilder class is used to parse externally provided URLs, an HTTP parameter may contain a URL value that redirects the user to an unexpected site.
The issue specifically involves the userinfo part of the URL (scheme://userinfo@host), which can contain encoded characters. When decoded, these characters can alter how the framework interprets the host. For example, a crafted URL such as http://legit.com%40user%40attacker.com might be misinterpreted as being associated with legit.com instead of attacker.com.
Additionally, developers using UriComponentsBuilder often do not validate the output of the class. Even when host validation is implemented, it may be too lenient or fail to account for edge cases, leaving the application vulnerable to malicious inputs. Therefore, this vulnerability arises from a combination of a flaw in the class and insufficient validation at the application level.
Steps To Reproduce
For reproduction steps, refer to CVE-2024-22243 and follow the setup instructions. By providing slightly altered inputs, it's possible to bypass security and trigger a redirection. For instance, using https://127.0.0.1[invalid.com as the URL query parameter can cause an unintended redirect.
Credits
- threedr3am
Mitigation
Spring Framework 4.3.x is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a corrected version.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
