CVE-2024-22258

Name of the Vulnerable Software and Affected Versions Spring Authorization Server versions 1.0.0 through 1.0.5 Spring Authorization Server versions 1.1.0 through 1.1.5 Spring Authorization Server versions 1.2.0 through 1.2.2 Spring Authorization Server older unsupported versions

Description The issue concerns a PKCE Downgrade Attack for Confidential Clients. An application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. However, an application is not vulnerable when a Public Client uses PKCE for the Authorization Code Grant.

Recommendations For Spring Authorization Server versions 1.0.0 through 1.0.5, consider disabling the use of PKCE for the Authorization Code Grant by Confidential Clients until a patch is available. For Spring Authorization Server versions 1.1.0 through 1.1.5, consider disabling the use of PKCE for the Authorization Code Grant by Confidential Clients until a patch is available. For Spring Authorization Server versions 1.2.0 through 1.2.2, consider disabling the use of PKCE for the Authorization Code Grant by Confidential Clients until a patch is available. For Spring Authorization Server older unsupported versions, consider upgrading to a supported version and then disabling the use of PKCE for the Authorization Code Grant by Confidential Clients until a patch is available.