{
  "threat_severity" : "Moderate",
  "public_date" : "2024-02-21T00:00:00Z",
  "bugzilla" : {
    "description" : "springframework: URL Parsing with Host Validation",
    "id" : "2265735",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2265735"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-601",
  "details" : [ "Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a  open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.", "A vulnerability was discovered in Spring Framework. Under certain conditions, an attacker might be able to trigger an open redirect. This issue can simplify the process of conducting a phishing attack against users of the deployment." ],
  "statement" : "The open redirect vulnerability discovered in the Spring Framework poses a moderate severity issue due to its potential to facilitate phishing attacks. While it doesn't directly lead to data compromise or system takeover, it significantly increases the likelihood of users being misled into visiting malicious websites.",
  "acknowledgement" : "Red Hat would like to thank Sean Pesce (Motorola Solutions) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.13.0",
    "release_date" : "2024-05-23T00:00:00Z",
    "advisory" : "RHSA-2024:3354",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "springframework"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 3",
    "fix_state" : "Out of support scope",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:3"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Not affected",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "streams for Apache Kafka",
    "fix_state" : "Will not fix",
    "package_name" : "springframework",
    "cpe" : "cpe:/a:redhat:amq_streams:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-22243\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22243\nhttps://spring.io/security/cve-2024-22243" ],
  "name" : "CVE-2024-22243",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}