[
https://issues.apache.org/jira/browse/CXF-9016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17850982#comment-17850982
]
Nikhil commented on CXF-9016:
-----------------------------
[~reta] Thanks for the update, could you please provide the fix version in
which the spring has been upgraded for Apache CXF.. this will help us take the
right build for fixing the security vulnerability.
> Upgrade Spring-Framework to 5.3.34 in Apache-cxf
> ------------------------------------------------
>
> Key: CXF-9016
> URL: https://issues.apache.org/jira/browse/CXF-9016
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.3
> Reporter: Nikhil
> Priority: Major
>
> We have a high severity security issue with spring-framework ::
> h2. Affected Spring Products and Versions
> Spring Framework
> * 6.1.0 - 6.1.5
> * 6.0.0 - 6.0.18
> * 5.3.0 - 5.3.33
> * Older, unsupported versions are also affected
>
> {*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework
> to parse an externally provided URL (e.g. through a query parameter) AND
> perform validation checks on the host of the parsed URL may be vulnerable to
> a open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or
> to a SSRF attack if the URL is used after passing validation checks.
> This is the same as CVE-2024-22243
> [https://spring.io/security/cve-2024-22243] , but with different input.
>
> *Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but
> with different input.
> –
> All these issues were fixed in Spring-Framework *5.3.34*
>
> *Could you please review and update Spring-Framework as needed in CXF package
> ?*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
