CVE-2018-15758

Name of the Vulnerable Software and Affected Versions Spring Security OAuth versions 2.0 prior to 2.0.16 Spring Security OAuth versions 2.1 prior to 2.1.3 Spring Security OAuth versions 2.2 prior to 2.2.3 Spring Security OAuth versions 2.3 prior to 2.3.4

Description The issue allows a malicious user to craft a request to the approval endpoint, potentially leading to a privilege escalation on subsequent approval. This can occur when the application is configured to use a custom approval endpoint that declares AuthorizationRequest as a controller method argument, and the application acts in the role of an Authorization Server.

Recommendations For Spring Security OAuth versions 2.0 prior to 2.0.16, update to version 2.0.16 or later. For Spring Security OAuth versions 2.1 prior to 2.1.3, update to version 2.1.3 or later. For Spring Security OAuth versions 2.2 prior to 2.2.3, update to version 2.2.3 or later. For Spring Security OAuth versions 2.3 prior to 2.3.4, update to version 2.3.4 or later. As a temporary workaround, consider disabling the custom approval endpoint that declares AuthorizationRequest as a controller method argument until a patch is available.