CVE-2018-15801

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.1.x prior to 5.1.2

Description The issue allows for an authorization bypass during JWT issuer validation. This can occur when the same private key is used for both an honest issuer and a malicious user to sign JWTs. In such a scenario, a malicious user could create signed JWTs with a malicious issuer URL, potentially allowing them to be granted access as if they were from the honest issuer.

Recommendations For Spring Security versions 5.1.x prior to 5.1.2, update to version 5.1.2 or later to resolve the authorization bypass vulnerability.