Scan detect CVE-2024-22259 and is flagging CA API Gateways with the Spring Framework Open Redirect Vulnerability

search cancel

Scan detect CVE-2024-22259 and is flagging CA API Gateways with the Spring Framework Open Redirect Vulnerability

book

Article ID: 281962

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Vulnerability scan is flagging CA API Gateways with the Spring Framework Open Redirect Vulnerability due to

/opt/SecureSpan/Controller/lib/spring-core-5.3.30.jar

and /

opt/SecureSpan/Gateway/runtime/lib/spring-core-5.3.30.jar.

CVE-2024-22259 (https://spring.io/security/cve-2024-22259)

Environment

API Gateway 10.1+ , 11.0+

Cause

Vulnerability found using scan tool

Resolution

1. GW repo shows no usages for UriComponentsBuilder

2. This CVE is marked as Mitigated with the following comments:

Spring itself is not directly responsible for handling HTTP request processing in Gateway. Instead, it relies on a servlet container
i.e tomcat and Jetty to manage incoming requests. CVE specifically affects the UriComponentsBuilder class.

However, this class is not implicitly used within the Spring Cloud Gateway to construct URIs.

Therefore, the CVE does not impact the gateway.

Feedback

thumb_up Yes

thumb_down No