Search for packages
| purl | pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.1.2.RELEASE |
| Next non-vulnerable version | 2.1.3 |
| Latest non-vulnerable version | 2.5.2.RELEASE |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1ndm-y1m9-3feg
Aliases: CVE-2019-3778 GHSA-77rv-6vfw-x4gc |
URL Redirection to Untrusted Site Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the `redirect_uri` parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. `@EnableAuthorizationServer`) and uses the `DefaultRedirectResolver` in the `AuthorizationEndpoint`. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different `RedirectResolver` implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. `@EnableResourceServer`), act in the role of a Client only (e.g. `@EnableOAuthClient`). |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-pbvw-fs16-67bq
Aliases: CVE-2018-15758 GHSA-h8w4-qv99-f7vj |
Improper Privilege Management Spring Security OAuth are susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval endpoint that can modify the previously saved authorization request and lead to a privilege escalation on the subsequent approval. |
Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-rqmm-31xc-eqfp
Aliases: CVE-2019-11269 GHSA-mmf6-6597-3v6m |
URL Redirection to Untrusted Site (Open Redirect) Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the `redirect_uri` parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-uxa4-6eep-8kh6 | Code Injection Spring Security OAuth contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint. |
CVE-2018-1260
GHSA-rrpm-pj7p-7j9q |