VulnerableCode Package Details - pkg:maven/org.springframework/spring-web@6.1.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-5ng1-3a32-cugs Aliases: CVE-2024-22262 GHSA-2wrp-6fg6-hmc5	Spring Framework URL Parsing with Host Validation Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.	6.1.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-x5w8-j62d-m7h6 Aliases: CVE-2024-38809 GHSA-2rmj-mq67-h97g	Spring Framework DoS via conditional HTTP request ### Description Applications that parse ETags from `If-Match` or `If-None-Match` request headers are vulnerable to DoS attack. ### Affected Spring Products and Versions org.springframework:spring-web in versions 6.1.0 through 6.1.11 6.0.0 through 6.0.22 5.3.0 through 5.3.37 Older, unsupported versions are also affected ### Mitigation Users of affected versions should upgrade to the corresponding fixed version. 6.1.x -> 6.1.12 6.0.x -> 6.0.23 5.3.x -> 5.3.38 No other mitigation steps are necessary. Users of older, unsupported versions could enforce a size limit on `If-Match` and `If-None-Match` headers, e.g. through a Filter.	6.1.12 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-5ng1-3a32-cugs
Aliases:
CVE-2024-22262
GHSA-2wrp-6fg6-hmc5

Spring Framework URL Parsing with Host Validation Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

6.1.6
Affected by 1 other vulnerability.

VCID-x5w8-j62d-m7h6
Aliases:
CVE-2024-38809
GHSA-2rmj-mq67-h97g

Spring Framework DoS via conditional HTTP request ### Description Applications that parse ETags from `If-Match` or `If-None-Match` request headers are vulnerable to DoS attack. ### Affected Spring Products and Versions org.springframework:spring-web in versions 6.1.0 through 6.1.11 6.0.0 through 6.0.22 5.3.0 through 5.3.37 Older, unsupported versions are also affected ### Mitigation Users of affected versions should upgrade to the corresponding fixed version. 6.1.x -> 6.1.12 6.0.x -> 6.0.23 5.3.x -> 5.3.38 No other mitigation steps are necessary. Users of older, unsupported versions could enforce a size limit on `If-Match` and `If-None-Match` headers, e.g. through a Filter.

6.1.12
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-dnat-v8gu-aqdn	Spring Framework URL Parsing with Host Validation Vulnerability Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.	CVE-2024-22259 GHSA-hgjh-9rj2-g67j

Vulnerability

Summary

Aliases

VCID-dnat-v8gu-aqdn

Spring Framework URL Parsing with Host Validation Vulnerability Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.

CVE-2024-22259
GHSA-hgjh-9rj2-g67j

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:09:25.092715+00:00	GitLab Importer	Affected by	VCID-x5w8-j62d-m7h6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-38809.yml	38.4.0
2026-04-16T22:56:00.435156+00:00	GitLab Importer	Affected by	VCID-5ng1-3a32-cugs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-22262.yml	38.4.0
2026-04-16T22:54:03.066685+00:00	GitLab Importer	Fixing	VCID-dnat-v8gu-aqdn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-22259.yml	38.4.0
2026-04-12T00:27:39.055771+00:00	GitLab Importer	Affected by	VCID-x5w8-j62d-m7h6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-38809.yml	38.3.0
2026-04-12T00:14:37.169244+00:00	GitLab Importer	Affected by	VCID-5ng1-3a32-cugs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-22262.yml	38.3.0
2026-04-12T00:12:27.232098+00:00	GitLab Importer	Fixing	VCID-dnat-v8gu-aqdn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-22259.yml	38.3.0
2026-04-03T00:35:21.648198+00:00	GitLab Importer	Affected by	VCID-x5w8-j62d-m7h6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-38809.yml	38.1.0
2026-04-03T00:20:57.652447+00:00	GitLab Importer	Affected by	VCID-5ng1-3a32-cugs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-22262.yml	38.1.0
2026-04-03T00:18:48.358730+00:00	GitLab Importer	Fixing	VCID-dnat-v8gu-aqdn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-22259.yml	38.1.0
2026-04-01T16:04:51.615361+00:00	GHSA Importer	Fixing	VCID-dnat-v8gu-aqdn	https://github.com/advisories/GHSA-hgjh-9rj2-g67j	38.0.0
2026-04-01T12:52:39.176322+00:00	GitLab Importer	Fixing	VCID-dnat-v8gu-aqdn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-22259.yml	38.0.0
2026-04-01T12:51:01.048027+00:00	GithubOSV Importer	Fixing	VCID-dnat-v8gu-aqdn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-hgjh-9rj2-g67j/GHSA-hgjh-9rj2-g67j.json	38.0.0