PT-2018-11281 · Spring · Spring Security Oauth
Philippe Arteau
·
Published
2018-05-11
·
Updated
2019-03-13
·
CVE-2018-1260
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Spring Security OAuth versions 2.0 prior to 2.0.15
Spring Security OAuth versions 2.1 prior to 2.1.2
Spring Security OAuth versions 2.2 prior to 2.2.2
Spring Security OAuth versions 2.3 prior to 2.3.3
Description
The issue allows a malicious user to craft an authorization request to the "authorization endpoint" that can lead to remote code execution when the resource owner is forwarded to the "approval endpoint". This can be exploited by an attacker.
Recommendations
For versions 2.0 prior to 2.0.15, update to version 2.0.15 or later.
For versions 2.1 prior to 2.1.2, update to version 2.1.2 or later.
For versions 2.2 prior to 2.2.2, update to version 2.2.2 or later.
For versions 2.3 prior to 2.3.3, update to version 2.3.3 or later.
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Spring Security Oauth