VulnerableCode Package Details - pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.18.RELEASE

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1ndm-y1m9-3feg	URL Redirection to Untrusted Site Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the `redirect_uri` parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. `@EnableAuthorizationServer`) and uses the `DefaultRedirectResolver` in the `AuthorizationEndpoint`. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different `RedirectResolver` implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. `@EnableResourceServer`), act in the role of a Client only (e.g. `@EnableOAuthClient`).	CVE-2019-3778 GHSA-77rv-6vfw-x4gc

Vulnerability

Summary

Aliases

VCID-1ndm-y1m9-3feg

URL Redirection to Untrusted Site Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the `redirect_uri` parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. `@EnableAuthorizationServer`) and uses the `DefaultRedirectResolver` in the `AuthorizationEndpoint`. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different `RedirectResolver` implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. `@EnableResourceServer`), act in the role of a Client only (e.g. `@EnableOAuthClient`).

CVE-2019-3778
GHSA-77rv-6vfw-x4gc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:38:59.015742+00:00	GitLab Importer	Fixing	VCID-1ndm-y1m9-3feg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security.oauth/spring-security-oauth2/CVE-2019-3778.yml	38.6.0

2026-06-02T04:38:59.015742+00:00

GitLab Importer

Fixing

VCID-1ndm-y1m9-3feg

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security.oauth/spring-security-oauth2/CVE-2019-3778.yml

38.6.0