VulnerableCode Package Details - pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.8.RELEASE

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-1ndm-y1m9-3feg Aliases: CVE-2019-3778 GHSA-77rv-6vfw-x4gc	URL Redirection to Untrusted Site Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the `redirect_uri` parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. `@EnableAuthorizationServer`) and uses the `DefaultRedirectResolver` in the `AuthorizationEndpoint`. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different `RedirectResolver` implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. `@EnableResourceServer`), act in the role of a Client only (e.g. `@EnableOAuthClient`).	2.0.17.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.0.18.RELEASE Affected by 0 other vulnerabilities. 2.1.4.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.1.5.RELEASE Affected by 0 other vulnerabilities. 2.2.4.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.2.5.RELEASE Affected by 0 other vulnerabilities. 2.3.5.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.3.6.RELEASE Affected by 0 other vulnerabilities.
VCID-pbvw-fs16-67bq Aliases: CVE-2018-15758 GHSA-h8w4-qv99-f7vj	Improper Privilege Management Spring Security OAuth are susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval endpoint that can modify the previously saved authorization request and lead to a privilege escalation on the subsequent approval.	2.0.16 Affected by 0 other vulnerabilities. 2.0.16.RELEASE Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.1.3 Affected by 0 other vulnerabilities. 2.1.3.RELEASE Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.2.3.RELEASE Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.3.4.RELEASE Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-rfwp-tv3x-zqak Aliases: CVE-2016-4977 GHSA-7q9c-h23x-65fq	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.	2.0.9.RELEASE Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.0.10 Affected by 0 other vulnerabilities.
VCID-rqmm-31xc-eqfp Aliases: CVE-2019-11269 GHSA-mmf6-6597-3v6m	URL Redirection to Untrusted Site (Open Redirect) Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the `redirect_uri` parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.	2.0.18.RELEASE Affected by 0 other vulnerabilities. 2.0.19.RELEASE Affected by 0 other vulnerabilities. 2.1.5.RELEASE Affected by 0 other vulnerabilities. 2.1.6.RELEASE Affected by 0 other vulnerabilities. 2.2.5.RELEASE Affected by 0 other vulnerabilities. 2.2.6.RELEASE Affected by 0 other vulnerabilities. 2.3.6.RELEASE Affected by 0 other vulnerabilities. 2.3.7.RELEASE Affected by 0 other vulnerabilities.
VCID-uxa4-6eep-8kh6 Aliases: CVE-2018-1260 GHSA-rrpm-pj7p-7j9q	Code Injection Spring Security OAuth contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.	2.0.15 Affected by 0 other vulnerabilities. 2.0.15.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.1.2 Affected by 0 other vulnerabilities. 2.1.2.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.2.2 Affected by 0 other vulnerabilities. 2.2.2.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.3.3 Affected by 0 other vulnerabilities. 2.3.3.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Next non-vulnerable version	2.0.18.RELEASE
Latest non-vulnerable version	2.5.2.RELEASE
Risk	10.0

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:22:42.943724+00:00	GitLab Importer	Affected by	VCID-rqmm-31xc-eqfp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security.oauth/spring-security-oauth2/CVE-2019-11269.yml	38.6.0
2026-06-04T20:19:52.663797+00:00	GitLab Importer	Affected by	VCID-1ndm-y1m9-3feg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security.oauth/spring-security-oauth2/CVE-2019-3778.yml	38.6.0
2026-06-04T20:16:14.297520+00:00	GitLab Importer	Affected by	VCID-pbvw-fs16-67bq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security.oauth/spring-security-oauth2/CVE-2018-15758.yml	38.6.0
2026-06-04T20:16:14.018095+00:00	GitLab Importer	Affected by	VCID-rfwp-tv3x-zqak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security.oauth/spring-security-oauth2/CVE-2016-4977.yml	38.6.0
2026-06-04T20:12:08.094003+00:00	GitLab Importer	Affected by	VCID-uxa4-6eep-8kh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security.oauth/spring-security-oauth2/CVE-2018-1260.yml	38.6.0
2026-06-04T18:23:55.010512+00:00	GHSA Importer	Affected by	VCID-pbvw-fs16-67bq	https://github.com/advisories/GHSA-h8w4-qv99-f7vj	38.6.0
2026-06-04T18:23:43.833683+00:00	GHSA Importer	Affected by	VCID-uxa4-6eep-8kh6	https://github.com/advisories/GHSA-rrpm-pj7p-7j9q	38.6.0