Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.7.RELEASE
Typemaven
Namespaceorg.springframework.security.oauth
Namespring-security-oauth2
Version2.0.7.RELEASE
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.0.18.RELEASE
Latest_non_vulnerable_version2.5.2.RELEASE
Affected_by_vulnerabilities
0
url VCID-1ndm-y1m9-3feg
vulnerability_id VCID-1ndm-y1m9-3feg
summary 
URL Redirection to Untrusted Site
Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the `redirect_uri` parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. `@EnableAuthorizationServer`) and uses the `DefaultRedirectResolver` in the `AuthorizationEndpoint`. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different `RedirectResolver` implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. `@EnableResourceServer`), act in the role of a Client only (e.g. `@EnableOAuthClient`).
references
0
reference_url http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-3778.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-3778.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-3778
reference_id
reference_type
scores
0
value 0.14855
scoring_system epss
scoring_elements 0.94646
published_at 2026-06-04T12:55:00Z
1
value 0.14855
scoring_system epss
scoring_elements 0.94655
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-3778
3
reference_url https://github.com/spring-attic/spring-security-oauth
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-attic/spring-security-oauth
4
reference_url https://web.archive.org/web/20200227084837/http://www.securityfocus.com/bid/107153
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200227084837/http://www.securityfocus.com/bid/107153
5
reference_url https://www.oracle.com/security-alerts/cpujan2021.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2021.html
6
reference_url http://www.securityfocus.com/bid/107153
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/107153
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1695979
reference_id 1695979
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1695979
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-3778
reference_id CVE-2019-3778
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-3778
9
reference_url https://pivotal.io/security/cve-2019-3778
reference_id CVE-2019-3778
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://pivotal.io/security/cve-2019-3778
10
reference_url https://github.com/advisories/GHSA-77rv-6vfw-x4gc
reference_id GHSA-77rv-6vfw-x4gc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-77rv-6vfw-x4gc
fixed_packages
0
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.17.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.17.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-rqmm-31xc-eqfp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.17.RELEASE
1
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.18.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.18.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.18.RELEASE
2
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.4.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.4.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-rqmm-31xc-eqfp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.4.RELEASE
3
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.5.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.5.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.5.RELEASE
4
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.4.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.4.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-rqmm-31xc-eqfp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.4.RELEASE
5
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.5.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.5.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.5.RELEASE
6
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.5.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.5.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-rqmm-31xc-eqfp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.5.RELEASE
7
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.6.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.6.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.6.RELEASE
aliases CVE-2019-3778, GHSA-77rv-6vfw-x4gc
risk_score 10.0
exploitability 2.0
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1ndm-y1m9-3feg
1
url VCID-pbvw-fs16-67bq
vulnerability_id VCID-pbvw-fs16-67bq
summary 
Improper Privilege Management
Spring Security OAuth are susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval endpoint that can modify the previously saved authorization request and lead to a privilege escalation on the subsequent approval.
references
0
reference_url https://access.redhat.com/errata/RHSA-2019:2413
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2019:2413
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-15758.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-15758.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-15758
reference_id
reference_type
scores
0
value 0.00326
scoring_system epss
scoring_elements 0.55923
published_at 2026-06-05T12:55:00Z
1
value 0.00326
scoring_system epss
scoring_elements 0.55867
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-15758
3
reference_url https://github.com/advisories/GHSA-h8w4-qv99-f7vj
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-h8w4-qv99-f7vj
4
reference_url https://github.com/spring-attic/spring-security-oauth/commit/4082ec7ae3d39198a47b5c803ccb20dacefb0b0
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-attic/spring-security-oauth/commit/4082ec7ae3d39198a47b5c803ccb20dacefb0b0
5
reference_url https://github.com/spring-attic/spring-security-oauth/commit/623776689fdcc8047f5a908c71f348e1f172a97
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-attic/spring-security-oauth/commit/623776689fdcc8047f5a908c71f348e1f172a97
6
reference_url https://github.com/spring-attic/spring-security-oauth/commit/ddd65cd9417ae1e4a69e4193a622300db38e2ef
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-attic/spring-security-oauth/commit/ddd65cd9417ae1e4a69e4193a622300db38e2ef
7
reference_url https://github.com/spring-attic/spring-security-oauth/commit/f92223afc71687bd3156298054903f50aa71fbf
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-attic/spring-security-oauth/commit/f92223afc71687bd3156298054903f50aa71fbf
8
reference_url https://github.com/spring-projects/spring-security-oauth/commit/4082ec7ae3d39198a47b5c803ccb20dacefb0b0
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-security-oauth/commit/4082ec7ae3d39198a47b5c803ccb20dacefb0b0
9
reference_url https://github.com/spring-projects/spring-security-oauth/commit/623776689fdcc8047f5a908c71f348e1f172a97
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-security-oauth/commit/623776689fdcc8047f5a908c71f348e1f172a97
10
reference_url https://github.com/spring-projects/spring-security-oauth/commit/ddd65cd9417ae1e4a69e4193a622300db38e2ef
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-security-oauth/commit/ddd65cd9417ae1e4a69e4193a622300db38e2ef
11
reference_url https://github.com/spring-projects/spring-security-oauth/commit/f92223afc71687bd3156298054903f50aa71fbf
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-security-oauth/commit/f92223afc71687bd3156298054903f50aa71fbf
12
reference_url http://www.securityfocus.com/bid/105687
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.securityfocus.com/bid/105687
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1643048
reference_id 1643048
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1643048
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-15758
reference_id CVE-2018-15758
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-15758
15
reference_url https://pivotal.io/security/cve-2018-15758
reference_id CVE-2018-15758
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://pivotal.io/security/cve-2018-15758
fixed_packages
0
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.16
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.16
1
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.16.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.16.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ndm-y1m9-3feg
1
vulnerability VCID-rqmm-31xc-eqfp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.16.RELEASE
2
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.3
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.3
3
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.3.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.3.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ndm-y1m9-3feg
1
vulnerability VCID-rqmm-31xc-eqfp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.3.RELEASE
4
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.3.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.3.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ndm-y1m9-3feg
1
vulnerability VCID-rqmm-31xc-eqfp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.3.RELEASE
5
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.4.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.4.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ndm-y1m9-3feg
1
vulnerability VCID-rqmm-31xc-eqfp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.4.RELEASE
aliases CVE-2018-15758, GHSA-h8w4-qv99-f7vj
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pbvw-fs16-67bq
2
url VCID-rfwp-tv3x-zqak
vulnerability_id VCID-rfwp-tv3x-zqak
summary 
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-4977
reference_id
reference_type
scores
0
value 0.93658
scoring_system epss
scoring_elements 0.99852
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-4977
1
reference_url https://github.com/spring-projects/spring-security-oauth/commit/fff77d3fea477b566bcacfbfc95f85821a2bdc2d
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-security-oauth/commit/fff77d3fea477b566bcacfbfc95f85821a2bdc2d
2
reference_url https://lists.apache.org/thread.html/0841d849c23418c473ccb9183cbf41a317cb0476e44be48022ce3488@%3Cdev.fineract.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/0841d849c23418c473ccb9183cbf41a317cb0476e44be48022ce3488@%3Cdev.fineract.apache.org%3E
3
reference_url https://lists.apache.org/thread.html/37d7e820fc65a768de3e096e98382d5529a52a039f093e59357d0bc0@%3Cdev.fineract.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/37d7e820fc65a768de3e096e98382d5529a52a039f093e59357d0bc0@%3Cdev.fineract.apache.org%3E
4
reference_url https://lists.apache.org/thread.html/5e6dd946635bbcc9e1f2591599ad0fab54f2dc3714196af3b17893f2@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/5e6dd946635bbcc9e1f2591599ad0fab54f2dc3714196af3b17893f2@%3Cannounce.apache.org%3E
5
reference_url https://lists.apache.org/thread.html/96c017115069408cec5e82ce1e6293facab398011f6db7e1befbe274@%3Cdev.fineract.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/96c017115069408cec5e82ce1e6293facab398011f6db7e1befbe274@%3Cdev.fineract.apache.org%3E
6
reference_url http://www.openwall.com/lists/oss-security/2019/10/16/1
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2019/10/16/1
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-4977
reference_id CVE-2016-4977
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-4977
8
reference_url https://pivotal.io/security/cve-2016-4977
reference_id CVE-2016-4977
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://pivotal.io/security/cve-2016-4977
9
reference_url https://github.com/advisories/GHSA-7q9c-h23x-65fq
reference_id GHSA-7q9c-h23x-65fq
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-7q9c-h23x-65fq
fixed_packages
0
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.9.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.9.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ndm-y1m9-3feg
1
vulnerability VCID-pbvw-fs16-67bq
2
vulnerability VCID-rqmm-31xc-eqfp
3
vulnerability VCID-uxa4-6eep-8kh6
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.9.RELEASE
1
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.10
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.10
aliases CVE-2016-4977, GHSA-7q9c-h23x-65fq
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rfwp-tv3x-zqak
3
url VCID-rqmm-31xc-eqfp
vulnerability_id VCID-rqmm-31xc-eqfp
summary 
URL Redirection to Untrusted Site (Open Redirect)
Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the `redirect_uri` parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.
references
0
reference_url http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11269.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11269.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-11269
reference_id
reference_type
scores
0
value 0.06347
scoring_system epss
scoring_elements 0.91151
published_at 2026-06-04T12:55:00Z
1
value 0.06347
scoring_system epss
scoring_elements 0.91164
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-11269
3
reference_url https://www.oracle.com/security-alerts/cpujan2021.html
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2021.html
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1715771
reference_id 1715771
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1715771
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-11269
reference_id CVE-2019-11269
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-11269
6
reference_url https://pivotal.io/security/cve-2019-11269
reference_id CVE-2019-11269
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://pivotal.io/security/cve-2019-11269
7
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/47000.txt
reference_id CVE-2019-3778;CVE-2019-11269
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/47000.txt
8
reference_url https://github.com/advisories/GHSA-mmf6-6597-3v6m
reference_id GHSA-mmf6-6597-3v6m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mmf6-6597-3v6m
fixed_packages
0
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.18.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.18.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.18.RELEASE
1
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.19.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.19.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.19.RELEASE
2
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.5.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.5.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.5.RELEASE
3
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.6.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.6.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.6.RELEASE
4
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.5.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.5.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.5.RELEASE
5
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.6.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.6.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.6.RELEASE
6
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.6.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.6.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.6.RELEASE
7
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.7.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.7.RELEASE
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.7.RELEASE
aliases CVE-2019-11269, GHSA-mmf6-6597-3v6m
risk_score 10.0
exploitability 2.0
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rqmm-31xc-eqfp
4
url VCID-uxa4-6eep-8kh6
vulnerability_id VCID-uxa4-6eep-8kh6
summary 
Code Injection
Spring Security OAuth contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.
references
0
reference_url https://access.redhat.com/errata/RHSA-2018:1809
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2018:1809
1
reference_url https://access.redhat.com/errata/RHSA-2018:2939
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2018:2939
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1260.json
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1260.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-1260
reference_id
reference_type
scores
0
value 0.52285
scoring_system epss
scoring_elements 0.97979
published_at 2026-06-05T12:55:00Z
1
value 0.52285
scoring_system epss
scoring_elements 0.97976
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-1260
4
reference_url https://github.com/advisories/GHSA-rrpm-pj7p-7j9q
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-rrpm-pj7p-7j9q
5
reference_url https://github.com/spring-attic/spring-security-oauth
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/spring-attic/spring-security-oauth
6
reference_url https://github.com/spring-projects/spring-security-oauth/commit/1c6815ac1b26fb2f079adbe283c43a7fd0885f3
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-security-oauth/commit/1c6815ac1b26fb2f079adbe283c43a7fd0885f3
7
reference_url https://github.com/spring-projects/spring-security-oauth/commit/6b1791179c1092553aa0690da22dac4dff2fc58
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-security-oauth/commit/6b1791179c1092553aa0690da22dac4dff2fc58
8
reference_url https://github.com/spring-projects/spring-security-oauth/commit/8e9792c1963f1aeea81ca618785eb8d71d1cd1d
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-security-oauth/commit/8e9792c1963f1aeea81ca618785eb8d71d1cd1d
9
reference_url https://github.com/spring-projects/spring-security-oauth/commit/adb1e6d19c681f394c9513799b81b527b0cb007
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-security-oauth/commit/adb1e6d19c681f394c9513799b81b527b0cb007
10
reference_url https://web.archive.org/web/20200227123539/http://www.securityfocus.com/bid/104158
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200227123539/http://www.securityfocus.com/bid/104158
11
reference_url http://www.securityfocus.com/bid/104158
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/104158
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1584376
reference_id 1584376
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1584376
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-1260
reference_id CVE-2018-1260
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-1260
14
reference_url https://pivotal.io/security/cve-2018-1260
reference_id CVE-2018-1260
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://pivotal.io/security/cve-2018-1260
fixed_packages
0
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.15
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.15
1
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.15.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.15.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ndm-y1m9-3feg
1
vulnerability VCID-pbvw-fs16-67bq
2
vulnerability VCID-rqmm-31xc-eqfp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.15.RELEASE
2
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.2
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.2
3
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.2.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.2.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ndm-y1m9-3feg
1
vulnerability VCID-pbvw-fs16-67bq
2
vulnerability VCID-rqmm-31xc-eqfp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.2.RELEASE
4
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.2
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.2
5
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.2.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.2.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ndm-y1m9-3feg
1
vulnerability VCID-pbvw-fs16-67bq
2
vulnerability VCID-rqmm-31xc-eqfp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.2.2.RELEASE
6
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.3
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.3
7
url pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.3.RELEASE
purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.3.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ndm-y1m9-3feg
1
vulnerability VCID-pbvw-fs16-67bq
2
vulnerability VCID-rqmm-31xc-eqfp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.3.3.RELEASE
aliases CVE-2018-1260, GHSA-rrpm-pj7p-7j9q
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uxa4-6eep-8kh6
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.7.RELEASE