Search for packages
| purl | pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.0 |
| Next non-vulnerable version | 2.0.10 |
| Latest non-vulnerable version | 2.5.2.RELEASE |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1ndm-y1m9-3feg
Aliases: CVE-2019-3778 GHSA-77rv-6vfw-x4gc |
URL Redirection to Untrusted Site Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the `redirect_uri` parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. `@EnableAuthorizationServer`) and uses the `DefaultRedirectResolver` in the `AuthorizationEndpoint`. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different `RedirectResolver` implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. `@EnableResourceServer`), act in the role of a Client only (e.g. `@EnableOAuthClient`). |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-rfwp-tv3x-zqak
Aliases: CVE-2016-4977 GHSA-7q9c-h23x-65fq |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type. |
Affected by 0 other vulnerabilities. |
|
VCID-rqmm-31xc-eqfp
Aliases: CVE-2019-11269 GHSA-mmf6-6597-3v6m |
URL Redirection to Untrusted Site (Open Redirect) Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the `redirect_uri` parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-02T04:39:21.301387+00:00 | GitLab Importer | Affected by | VCID-rqmm-31xc-eqfp | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security.oauth/spring-security-oauth2/CVE-2019-11269.yml | 38.6.0 |
| 2026-06-02T04:38:58.959869+00:00 | GitLab Importer | Affected by | VCID-1ndm-y1m9-3feg | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security.oauth/spring-security-oauth2/CVE-2019-3778.yml | 38.6.0 |
| 2026-06-02T04:38:28.761291+00:00 | GitLab Importer | Affected by | VCID-rfwp-tv3x-zqak | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security.oauth/spring-security-oauth2/CVE-2016-4977.yml | 38.6.0 |