CVE-2018-1260 – org.springframework.security.oauth:spring-security-oauth2

Package

Manager: maven
Name: org.springframework.security.oauth:spring-security-oauth2
Vulnerable Version: >=2.3.0 <2.3.3 || >=2.2.0 <2.2.2 || >=2.1.0 <2.1.2 || >=2.0.0 <2.0.15 || >=1.0.0 <=1.0.5

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.51226 pctl0.97799

Details

Spring Security OAuth vulnerable to remote code execution (RCE) Spring Security OAuth versions prior to 2.3.3, prior to 2.2.2, prior to 2.1.2, and prior to 2.0.15 contain a remote code execution vulnerability. An attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.

Metadata

Created: 2018-10-18T18:05:34Z
Modified: 2024-05-14T17:55:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rrpm-pj7p-7j9q/GHSA-rrpm-pj7p-7j9q.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-rrpm-pj7p-7j9q
Finding: F422
Auto approve: 1