CVE-2024-22259: Open Redirect and SSRF Vulnerabilities in Applications Using UriComponentsBuilder in Spring Framework

CVE-2024-22259 highlights a vulnerability in applications that use UriComponentsBuilder in the Spring Framework to parse externally provided URLs and perform validation checks on the host of the parsed URL. This vulnerability exposes the application to open redirect and Server Side Request Forgery (SSRF) attacks if the URL is used after passing the validation checks. It is similar to CVE-2024-22243 but with different input.

Details

UriComponentsBuilder is a utility class in the Spring Framework for building URIs in a clean and efficient manner. It is particularly useful for constructing URLs from user inputs. Unfortunately, certain implementations of UriComponentsBuilder to parse externally provided URLs (like from query parameters) and validate the host expose the applications to open redirect and SSRF attacks if the URL is used after passing the validation checks.

An open redirect attack occurs when an application is vulnerable to unwanted redirection, which can lead to phishing attacks, malicious site visits, or unintended exposure of sensitive data. SSRF attacks, on the other hand, involve an attacker inducing a server to make requests on their behalf, potentially leading to unauthorized access to internal resources or bypassing authentication mechanisms.

Consider the following example code

@GetMapping("/redirect")
public String redirect(@RequestParam("url") String url, Model model) {
    UriComponentsBuilder builder = UriComponentsBuilder.fromUriString(url);
    if (isTrustedHost(builder.build().getHost())) {
        return "redirect:" + builder.toUriString();
    }
    model.addAttribute("error", "Invalid URL!");
    return "error";
}

private boolean isTrustedHost(String host) {
    return trustedHosts.contains(host);
}

The above code demonstrates a scenario where the application is parsing an externally provided URL using UriComponentsBuilder and then validating the host using the isTrustedHost() method. If the host passes validation, the application then uses the URL to initiate a redirect. This may leave the application susceptible to open redirect and SSRF attacks due to the improper handling of user inputs and URL validation.

Exploit

To exploit this vulnerability, an attacker could craft a malicious URL that bypasses the host validation checks, in turn causing an unintended redirect to a different location or causing an SSRF attack.

Example

http://example.com/redirect?url=http://trusted-domain.com@evil-domain.com

In this example, the application might incorrectly validate the URL as belonging to a trusted domain, ultimately redirecting the user to the attacker’s domain or initiating an SSRF attack.

To mitigate this vulnerability, you should

1. Update your application to the latest version of the Spring Framework. The Spring team has been notified about this vulnerability, and they have addressed it in newer versions.

2. If updating the Spring version is not feasible, you should implement proper validation of user inputs before using them in URI building, especially when dealing with URLs. One solution is to use Java's java.net.URI class instead of UriComponentsBuilder for URL parsing and validation, as shown below:

java.net.URI uri = new java.net.URI(url);
if (isTrustedHost(uri.getHost())) {
    // ...
}

References

1. CVE-2024-22259: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22259
2. CWE-601: Open Redirect: https://cwe.mitre.org/data/definitions/601.html
3. Spring Framework: https://spring.io/
4. CVE-2024-22243: https://spring.io/security/cve-2024-22243
5. UriComponentsBuilder documentation: https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/util/UriComponentsBuilder.html

Timeline

Published on: 03/16/2024 05:15:20 UTC
Last modified on: 03/17/2024 22:38:29 UTC