Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/org.springframework.security.oauth/spring-security-oauth@2.2.0 |
|---|
| Type | maven |
|---|
| Namespace | org.springframework.security.oauth |
|---|
| Name | spring-security-oauth |
|---|
| Version | 2.2.0 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 2.2.4 |
|---|
| Latest_non_vulnerable_version | 2.5.2 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-1ndm-y1m9-3feg |
| vulnerability_id |
VCID-1ndm-y1m9-3feg |
| summary |
URL Redirection to Untrusted Site
Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the `redirect_uri` parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. `@EnableAuthorizationServer`) and uses the `DefaultRedirectResolver` in the `AuthorizationEndpoint`. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different `RedirectResolver` implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. `@EnableResourceServer`), act in the role of a Client only (e.g. `@EnableOAuthClient`). |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-3778, GHSA-77rv-6vfw-x4gc
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1ndm-y1m9-3feg |
|
| 1 |
| url |
VCID-rqmm-31xc-eqfp |
| vulnerability_id |
VCID-rqmm-31xc-eqfp |
| summary |
URL Redirection to Untrusted Site (Open Redirect)
Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the `redirect_uri` parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-11269, GHSA-mmf6-6597-3v6m
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rqmm-31xc-eqfp |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth@2.2.0 |
|---|