CVE-2024-22259 (CVE-2024-22243绕过) 深入分析与防护指南<\/h1>

漏洞概述<\/h2>
CVE-2024-22259是Spring框架中对CVE-2024-22243修复不充分导致的补充漏洞，影响Spring Web中的UriComponentsBuilder组件。该漏洞允许攻击者构造特殊URL绕过主机名验证，可能导致开放重定向(Open Redirect)或服务器端请求伪造(SSRF)攻击。<\/p>

受影响版本<\/h2>

Spring Framework 6.0.0 - 6.0.16<\/li>
Spring Framework 5.3.0 - 5.3.31<\/li>

其他基于这些版本的Spring衍生框架<\/li> <\/ul>

漏洞原理<\/h2>

UriComponentsBuilder功能<\/h3>
UriComponentsBuilder是Spring Web中用于构建和操作URI的工具类，提供链式API来构造URI。<\/p>

CVE-2024-22243原始漏洞<\/h3>

原始漏洞(CVE-2024-22243)允许通过以下方式绕过主机验证：<\/p>

使用UriComponentsBuilder.fromHttpUrl()<\/code>解析URL<\/li>
在URL中使用\<\/code>反斜杠字符<\/li>

导致主机名验证被绕过<\/li>
<\/ol>
CVE-2024-22259绕过方式<\/h3>
Spring对CVE-2024-22243的修复不充分，攻击者仍可通过两种方式绕过：<\/p>
方式一：使用UriComponentsBuilder.fromUriString()<\/code><\/h4>
UriComponentsBuilder.<\/span>fromUriString<\/span>(<\/span>"http:\/\/evil.com\\@trusted.com"<\/span>).<\/span>build<\/span>().<\/span>toUri<\/span>()<\/span>
<\/span><\/span><\/code><\/pre>方式二：使用UriComponentsBuilder.fromUri()<\/code>结合UriComponentsBuilder.fromHttpUrl()<\/code><\/h4>
UriComponentsBuilder.<\/span>fromUri<\/span>(<\/span>
<\/span><\/span>    UriComponentsBuilder.<\/span>fromHttpUrl<\/span>(<\/span>"http:\/\/evil.com\\@trusted.com"<\/span>).<\/span>build<\/span>().<\/span>toUri<\/span>()<\/span>
<\/span><\/span>).<\/span>build<\/span>().<\/span>toUri<\/span>()<\/span>
<\/span><\/span><\/code><\/pre>这两种方式都能构造出绕过主机名验证的URL，导致请求被重定向到恶意网站或发起SSRF攻击。<\/p>
漏洞利用场景<\/h2>

开放重定向<\/strong>：当应用程序使用UriComponentsBuilder处理用户提供的URL进行重定向时<\/li>
SSRF攻击<\/strong>：当应用程序使用UriComponentsBuilder构建URL并用于服务器端请求时<\/li>
<\/ol>
漏洞验证方法<\/h2>
验证代码示例<\/h3>
import<\/span> org.springframework.web.util.UriComponentsBuilder;<\/span>
<\/span><\/span>import<\/span> java.net.URI;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> VulnerabilityTest<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        \/\/ 方式一验证
<\/span><\/span><\/span><\/span>        URI uri1 =<\/span> UriComponentsBuilder.<\/span>fromUriString<\/span>(<\/span>"http:\/\/evil.com\\@trusted.com"<\/span>).<\/span>build<\/span>().<\/span>toUri<\/span>();<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"方式一结果: "<\/span> +<\/span> uri1);<\/span>  \/\/ 应显示指向evil.com的URI
<\/span><\/span><\/span><\/span>        
<\/span><\/span>        \/\/ 方式二验证
<\/span><\/span><\/span><\/span>        URI uri2 =<\/span> UriComponentsBuilder.<\/span>fromUri<\/span>(<\/span>
<\/span><\/span>            UriComponentsBuilder.<\/span>fromHttpUrl<\/span>(<\/span>"http:\/\/evil.com\\@trusted.com"<\/span>).<\/span>build<\/span>().<\/span>toUri<\/span>()<\/span>
<\/span><\/span>        ).<\/span>build<\/span>().<\/span>toUri<\/span>();<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"方式二结果: "<\/span> +<\/span> uri2);<\/span>  \/\/ 应显示指向evil.com的URI
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>预期输出<\/h3>
如果系统存在漏洞，输出将显示URI指向evil.com<\/code>而非trusted.com<\/code>。<\/p>
修复方案<\/h2>
官方修复<\/h3>
Spring Framework已发布修复版本：<\/p>

6.0.x用户升级到6.0.17+<\/li>
5.3.x用户升级到5.3.32+<\/li>
<\/ul>
临时缓解措施<\/h3>
如果无法立即升级，可采取以下措施：<\/p>

输入验证<\/strong>：对所有用户提供的URL进行严格验证<\/li>
白名单验证<\/strong>：只允许特定的可信域名<\/li>
自定义UriComponentsBuilder包装器<\/strong>：<\/li>
<\/ol>
public<\/span> class<\/span> SafeUriComponentsBuilder<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> UriComponentsBuilder fromUriStringSafe<\/span>(<\/span>String uri)<\/span> {<\/span>
<\/span><\/span>        UriComponentsBuilder builder =<\/span> UriComponentsBuilder.<\/span>fromUriString<\/span>(<\/span>uri);<\/span>
<\/span><\/span>        validateHost(<\/span>builder.<\/span>build<\/span>().<\/span>getHost<\/span>());<\/span>
<\/span><\/span>        return<\/span> builder;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    private<\/span> static<\/span> void<\/span> validateHost<\/span>(<\/span>String host)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>host ==<\/span> null<\/span> ||<\/span> host.<\/span>contains<\/span>(<\/span>"\\"<\/span>)<\/span> ||<\/span> host.<\/span>contains<\/span>(<\/span>"\/"<\/span>))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> IllegalArgumentException(<\/span>"Invalid host name"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        \/\/ 添加额外的白名单验证
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>防御最佳实践<\/h2>

永远不要直接使用用户提供的URL进行重定向或请求<\/strong><\/li>
实施严格的URL验证<\/strong>：

验证协议(只允许http\/https)<\/li>
验证主机名(白名单机制)<\/li>
检查特殊字符<\/li>
<\/ul>
<\/li>
使用相对URL<\/strong>：尽可能使用相对路径而非完整URL<\/li>
记录和监控<\/strong>：记录所有重定向操作和外部请求<\/li>
<\/ol>
漏洞影响评估<\/h2>

CVSS评分<\/strong>：6.1 (中等)<\/li>
攻击复杂度<\/strong>：低<\/li>
用户交互<\/strong>：需要(开放重定向场景)<\/li>
影响范围<\/strong>：取决于应用程序如何使用UriComponentsBuilder<\/li>
<\/ul>
相关CVE<\/h2>

CVE-2024-22243：原始漏洞，通过\<\/code>字符绕过主机验证<\/li>
CVE-2024-22259：修复不充分导致的绕过漏洞<\/li>
<\/ul>
总结<\/h2>
CVE-2024-22259展示了即使修复了安全漏洞，也可能存在不充分的补丁导致新的绕过方式。开发者应当：<\/p>

及时升级到安全版本<\/li>
实施深度防御策略<\/li>
对用户提供的所有输入进行严格验证<\/li>
定期进行安全审计和代码审查<\/li>
<\/ol>
通过全面理解此漏洞的原理和利用方式，开发者可以更好地保护Spring应用程序免受类似攻击。<\/p>

CVE-2024-22259 (CVE-2024-22243绕过) 深入分析与防护指南<\/h1>

漏洞原理<\/h2>

UriComponentsBuilder功能<\/h3> UriComponentsBuilder是Spring Web中用于构建和操作URI的工具类，提供链式API来构造URI。<\/p>

CVE-2024-22259绕过方式<\/h3> Spring对CVE-2024-22243的修复不充分，攻击者仍可通过两种方式绕过：<\/p>

漏洞验证方法<\/h2>

预期输出<\/h3> 如果系统存在漏洞，输出将显示URI指向evil.com<\/code>而非trusted.com<\/code>。<\/p>

UriComponentsBuilder功能<\/h3>
UriComponentsBuilder是Spring Web中用于构建和操作URI的工具类，提供链式API来构造URI。<\/p>

CVE-2024-22259绕过方式<\/h3>
Spring对CVE-2024-22243的修复不充分，攻击者仍可通过两种方式绕过：<\/p>

预期输出<\/h3>
如果系统存在漏洞，输出将显示URI指向`evil.com<\/code>而非trusted.com<\/code>。<\/p>`