CVE-2024-22243: Spring Framework URL Parsing with Host Validation

[agwlprince617]

I am involved in vulnerability fixes and recently we were facing this issue. I have gone through the spring security documentation (https://spring.io/security/cve-2024-22243) and upgraded my spring framework to 5.3.32 but when we scan through blackduck we get critical vulnerabilities.

Does anyone know the fix for this, apart from upgrading to latest spring boot version?

[bclozel]

when we scan through blackduck we get critical vulnerabilities.

Can you elaborate? What vulnerabilities are being reported?

[agwlprince617]

Yes sure,

[agwlprince617]

More details on the vulnerability https://nvd.nist.gov/vuln/detail/CVE-2024-22243

[bclozel]

I don't see this vulnerability being mentioned in your screenshot. CVE-2024-22243 is fixed in 5.3.32. If your tool is still considering it as vulnerable, please report it to your tool vendor.

[bclozel]

The https://www.cve.org/CVERecord?id=CVE-2024-22243 entry lists the correct versions and so does GHSA-ccgv-vj62-xf9h - I'm not sure where Blackduck gets its metadata from but it looks good from our perspective. In all cases, the main reference should always be our security advisories: https://spring.io/security/cve-2024-22243

[agwlprince617]

Sorry for the confusion @bclozel, I understand your point and we were getting this error while using spring-framework 5.3.31, when we upgrade it to 5.3.32 we are getting the below error. Thanks again in advance!!

[bclozel]

This is a false positive. See #24434 for details.