Spring CVE BDSA-2024-0625 - Nineya|java/go/python

Hello team,

Just wanted to reach out and report a potential CVE.

Our daily BlackDuck SonarQube, OWASP dependency and CheckMarx detected this:

Please feel free to close if you believe it is not relevant, otherwise, please help on the issue.

Thank you for your time.

{
        "Related Vuln": "",
        "CVE ID": "BDSA-2024-0625",
        "Vulnerability Description": "Spring Framework is vulnerable to server-side request forgery (SSRF) and an open redirect attack. An attacker could send a crafted HTTP request and deceive the application into making requests to unintended systems. This could enable an attacker to access confidential information or send harmful requests to other servers from the compromised system.\n\n**Note:** This affects applications that use `UriComponentsBuilder` to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL.",
        "Package Name": "Spring Framework",
        "Package Version": "6.1.4",
        "Status": "NEW",
        "Vulnerability Published Date": "2024-03-14",
        "Upgrade-Guidance": {
            "Short-Term": "unknown",
            "Long-Term": "unknown"
        },
        "Package Location": [
            "logan-1.1.jar!/BOOT-INF/lib/spring-aop-6.1.4.jar",
            "logan-1.1.jar!/BOOT-INF/lib/spring-beans-6.1.4.jar",
            "logan-1.1.jar!/BOOT-INF/lib/spring-context-6.1.4.jar",
            "logan-1.1.jar!/BOOT-INF/lib/spring-core-6.1.4.jar",
            "logan-1.1.jar!/BOOT-INF/lib/spring-expression-6.1.4.jar",
            "logan-1.1.jar!/BOOT-INF/lib/spring-messaging-6.1.4.jar",
            "logan-1.1.jar!/BOOT-INF/lib/spring-web-6.1.4.jar",
            "logan-1.1.jar!/BOOT-INF/lib/spring-context-6.1.4.jar!/org/springframework",
            "logan-1.1.jar!/BOOT-INF/lib/spring-web-6.1.4.jar!/org/springframework",
            "logan-1.1.jar!/BOOT-INF/lib/spring-core-6.1.4.jar!/org/springframework/",
            "logan-1.1.jar!/BOOT-INF/lib/spring-aop-6.1.4.jar!/org/springframework/aop",
            "logan-1.1.jar!/BOOT-INF/lib/spring-beans-6.1.4.jar!/org/springframework/beans",
            "logan-1.1.jar!/BOOT-INF/lib/spring-expression-6.1.4.jar!/org/springframework/expression/spel"
        ],
        "Score": 8.7,
        "Severity": "High",
        "Origin": [
            "maven:org.springframework:spring-aop:6.1.4",
            "maven:org.springframework:spring-beans:6.1.4",
            "maven:org.springframework:spring-context:6.1.4",
            "maven:org.springframework:spring-core:6.1.4",
            "maven:org.springframework:spring-expression:6.1.4",
            "maven:org.springframework:spring-messaging:6.1.4",
            "maven:org.springframework:spring-web:6.1.4"
        ]
    }
]

Comment From: bclozel

I think those reports are meant to be actionable for the development team, not the project maintainers. See: https://spring.io/blog/2024/03/14/spring-framework-6-1-5-6-0-18-and-5-3-33-available-now-including-fixes-for and https://spring.io/security/cve-2024-22259

Also, security-related reports should be done using the appropriate channel: https://github.com/spring-projects/spring-framework/blob/main/SECURITY.md