CVE-2021-22119 – org.springframework.security:spring-security-oauth2-client

Package

Manager: maven
Name: org.springframework.security:spring-security-oauth2-client
Vulnerable Version: >=5.5.0 <5.5.1 || >=5.4.0 <5.4.7 || >=5.3.0 <5.3.10 || >=5.2.0 <5.2.11

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.04895 pctl0.89177

Details

Resource Exhaustion in Spring Security Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.

Metadata

Created: 2021-07-02T18:33:34Z
Modified: 2022-03-30T21:15:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-w9jg-gvgr-354m/GHSA-w9jg-gvgr-354m.json
CWE IDs: ["CWE-400", "CWE-863"]
Alternative ID: GHSA-w9jg-gvgr-354m
Finding: F002
Auto approve: 1