Описание
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
A vulnerability was discovered in Spring Framework. Under certain conditions, an attacker might be able to trigger an open redirect. This issue can simplify the process of conducting a phishing attack against users of the deployment.
Отчет
The open redirect vulnerability discovered in the Spring Framework poses a moderate severity issue due to its potential to facilitate phishing attacks. While it doesn't directly lead to data compromise or system takeover, it significantly increases the likelihood of users being misled into visiting malicious websites.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel for Spring Boot 3 | springframework | Out of support scope | ||
| Red Hat Data Grid 8 | springframework | Not affected | ||
| Red Hat JBoss Data Grid 7 | springframework | Not affected | ||
| streams for Apache Kafka | springframework | Will not fix | ||
| Red Hat Fuse 7.13.0 | springframework | Fixed | RHSA-2024:3354 | 23.05.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.4 Low
CVSS3
Связанные уязвимости
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Applications that use UriComponentsBuilderto parse an externally provi ...
Spring Web vulnerable to Open Redirect or Server Side Request Forgery
Уязвимость программной платформы Spring Framework, существующая из-за недостаточной валидации вводимых пользователем данных, позволяющая нарушителю осуществить SSRF-атаку
EPSS
3.4 Low
CVSS3