CVE-2022-22969

Name of the Vulnerable Software and Affected Versions Spring Security OAuth versions 2.5.x prior to 2.5.2 Spring Security OAuth older unsupported versions

Description The issue is a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This exposes OAuth 2.0 Client applications only.

Recommendations For Spring Security OAuth versions 2.5.x prior to 2.5.2, update to version 2.5.2 or later to resolve the issue. For Spring Security OAuth older unsupported versions, consider upgrading to a supported version to mitigate the risk of exploitation. As a temporary workaround, consider restricting the number of Authorization Requests that can be initiated from a single session to minimize the risk of exhausting system resources.