Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/org.springframework/spring-web@6.1.6 |
|---|
| Type | maven |
|---|
| Namespace | org.springframework |
|---|
| Name | spring-web |
|---|
| Version | 6.1.6 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 6.1.12 |
|---|
| Latest_non_vulnerable_version | 6.2.8 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-x5w8-j62d-m7h6 |
| vulnerability_id |
VCID-x5w8-j62d-m7h6 |
| summary |
Spring Framework DoS via conditional HTTP request
### Description
Applications that parse ETags from `If-Match` or `If-None-Match` request headers are vulnerable to DoS attack.
### Affected Spring Products and Versions
org.springframework:spring-web in versions
6.1.0 through 6.1.11
6.0.0 through 6.0.22
5.3.0 through 5.3.37
Older, unsupported versions are also affected
### Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
6.1.x -> 6.1.12
6.0.x -> 6.0.23
5.3.x -> 5.3.38
No other mitigation steps are necessary.
Users of older, unsupported versions could enforce a size limit on `If-Match` and `If-None-Match` headers, e.g. through a Filter. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-38809 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0014 |
| scoring_system |
epss |
| scoring_elements |
0.3416 |
| published_at |
2026-04-21T12:55:00Z |
|
| 1 |
| value |
0.0014 |
| scoring_system |
epss |
| scoring_elements |
0.34196 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.0014 |
| scoring_system |
epss |
| scoring_elements |
0.34208 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.0014 |
| scoring_system |
epss |
| scoring_elements |
0.34176 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.0014 |
| scoring_system |
epss |
| scoring_elements |
0.34199 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.0014 |
| scoring_system |
epss |
| scoring_elements |
0.3421 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.0014 |
| scoring_system |
epss |
| scoring_elements |
0.34168 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.0014 |
| scoring_system |
epss |
| scoring_elements |
0.34304 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.0014 |
| scoring_system |
epss |
| scoring_elements |
0.34272 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.0014 |
| scoring_system |
epss |
| scoring_elements |
0.3424 |
| published_at |
2026-04-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-38809 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-38809, GHSA-2rmj-mq67-h97g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x5w8-j62d-m7h6 |
|
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-5ng1-3a32-cugs |
| vulnerability_id |
VCID-5ng1-3a32-cugs |
| summary |
Spring Framework URL Parsing with Host Validation
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-22262 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.12634 |
| scoring_system |
epss |
| scoring_elements |
0.93992 |
| published_at |
2026-04-21T12:55:00Z |
|
| 1 |
| value |
0.12634 |
| scoring_system |
epss |
| scoring_elements |
0.93952 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.12634 |
| scoring_system |
epss |
| scoring_elements |
0.9397 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.12634 |
| scoring_system |
epss |
| scoring_elements |
0.93967 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.12634 |
| scoring_system |
epss |
| scoring_elements |
0.93964 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.12634 |
| scoring_system |
epss |
| scoring_elements |
0.93955 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.12634 |
| scoring_system |
epss |
| scoring_elements |
0.93943 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.12634 |
| scoring_system |
epss |
| scoring_elements |
0.93991 |
| published_at |
2026-04-18T12:55:00Z |
|
| 8 |
| value |
0.12634 |
| scoring_system |
epss |
| scoring_elements |
0.93985 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-22262 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-22262, GHSA-2wrp-6fg6-hmc5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5ng1-3a32-cugs |
|
|
|---|
| Risk_score | 3.1 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-web@6.1.6 |
|---|