PT-2018-11281 · Spring · Spring Security Oauth
Philippe Arteau
·
Publicado
2018-05-11
·
Atualizado
2019-03-13
·
CVE-2018-1260
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Spring Security OAuth versions 2.0 prior to 2.0.15
Spring Security OAuth versions 2.1 prior to 2.1.2
Spring Security OAuth versions 2.2 prior to 2.2.2
Spring Security OAuth versions 2.3 prior to 2.3.3
Description
The issue allows a malicious user to craft an authorization request to the "authorization endpoint" that can lead to remote code execution when the resource owner is forwarded to the "approval endpoint". This can be exploited by an attacker.
Recommendations
For versions 2.0 prior to 2.0.15, update to version 2.0.15 or later.
For versions 2.1 prior to 2.1.2, update to version 2.1.2 or later.
For versions 2.2 prior to 2.2.2, update to version 2.2.2 or later.
For versions 2.3 prior to 2.3.3, update to version 2.3.3 or later.
Correção
RCE
Code Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Spring Security Oauth