Security Advisory

Spring Framework Security Update Advisory

  • Mar 18 2024

Overview

 

An update has been made available to address a vulnerability in the Spring framework. users of affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2024-22233

  • Spring Framework versions 6.0.15, 6.1.2

 

CVE-2024-22259

  • Spring Framework 6.1.0 through 6.1.4 versions
  • Spring Framework 6.0.0 through 6.0.17 versions
  • Spring Framework 5.3.0 through 5.3.32 versions
  • unsupported or below versions

 

CVE-2023-34053

  • Spring Framework 6.0.0 through 6.0.13 versions

 

CVE-2024-22234

  • Spring Security 6.1.0 through 6.1.6 versions
  • Spring Security 6.2.0 through 6.2.1 versions

 

CVE-2023-34054

  • Reactor Netty versions 1.1.0 through 1.1.12
  • Reactor Netty 1.0.0 through 1.0.38
  • Reactor Netty versions prior to 1.0.X

 

Resolved Vulnerabilities

 

Denial of Service Vulnerability in Spring Framework (CVE-2024-22233, CVE-2023-34053)

Applications that use UriComponentsBuilder in Spring Framework to parse externally-supplied URLs and perform validation on the host of the parsed URL are vulnerable to public redirection (CVE-2024-22259)

Corrupted access control vulnerability in Spring Security when an application directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method (CVE-2024-22234)

Vulnerability in Reactor Netty HTTP Server that could cause a DOS condition via HTTPS requests (CVE-2023-34054)

 

Vulnerability Patches

 

CVE-2024-22233

  • Spring Framework 6.0.16, 6.1.3 Versions

 

CVE-2024-22259

  • Spring Framework 6.1.5, 6.0.18, 5.3.33 versions

 

CVE-2023-34053

  • Spring Framework 6.0.14 version

 

CVE-2024-22234

  • Spring Security 6.1.7, 6.2.2 versions

 

CVE-2023-34054

  • Reactor Netty 1.1.13, version 1.1.13

 

Referenced Sites

 

[1] CVE-2024-22233: Spring Framework server Web DoS Vulnerability
https://spring.io/security/cve-2024-22233

[2] CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report)

https://spring.io/security/cve-2024-22259

[3] CVE-2023-34053: Spring Framework server Web Observations DoS Vulnerability

https://spring.io/security/cve-2023-34053

[4] CVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated

https://spring.io/security/cve-2024-22234

Tags:

Previous Post

Next Post