Pieter Philippaerts

**Name of the Vulnerable Software and Affected Versions** Spring Authorization Server versions 1.0.0 through 1.0.5 Spring Authorization Server versions 1.1.0 through 1.1.5 Spring Authorization Server versions 1.2.0 through 1.2.2 Spring Authorization Server older unsupported versions **Description** The issue concerns a PKCE Downgrade Attack for Confidential Clients. An application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. However, an application is not vulnerable when a Public Client uses PKCE for the Authorization Code Grant. **Recommendations** For Spring Authorization Server versions 1.0.0 through 1.0.5, consider disabling the use of PKCE for the Authorization Code Grant by Confidential Clients until a patch is available. For Spring Authorization Server versions 1.1.0 through 1.1.5, consider disabling the use of PKCE for the Authorization Code Grant by Confidential Clients until a patch is available. For Spring Authorization Server versions 1.2.0 through 1.2.2, consider disabling the use of PKCE for the Authorization Code Grant by Confidential Clients until a patch is available. For Spring Authorization Server older unsupported versions, consider upgrading to a supported version and then disabling the use of PKCE for the Authorization Code Grant by Confidential Clients until a patch is available.