GHSA-rrpm-pj7p-7j9q

Source

https://github.com/advisories/GHSA-rrpm-pj7p-7j9q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rrpm-pj7p-7j9q/GHSA-rrpm-pj7p-7j9q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rrpm-pj7p-7j9q

Aliases

CVE-2018-1260

Published

2018-10-18T18:05:34Z

Modified

2024-05-14T18:00:44.739272Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Spring Security OAuth vulnerable to remote code execution (RCE)

Details

Spring Security OAuth versions prior to 2.3.3, prior to 2.2.2, prior to 2.1.2, and prior to 2.0.15 contain a remote code execution vulnerability. An attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:55:47Z"
}

References

Affected packages

Maven / org.springframework.security.oauth:spring-security-oauth2

Package

Name: org.springframework.security.oauth:spring-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security.oauth/spring-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.3

Affected versions

2.*

2.3.0.RELEASE

2.3.1.RELEASE

2.3.2.RELEASE

Maven / org.springframework.security.oauth:spring-security-oauth2

Package

Name: org.springframework.security.oauth:spring-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security.oauth/spring-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.2

Affected versions

2.*

2.2.0.RELEASE

2.2.1.RELEASE

Maven / org.springframework.security.oauth:spring-security-oauth2

Package

Name: org.springframework.security.oauth:spring-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security.oauth/spring-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.1.2

Affected versions

2.*

2.1.0.RELEASE

2.1.1.RELEASE

Maven / org.springframework.security.oauth:spring-security-oauth2

Package

Name: org.springframework.security.oauth:spring-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security.oauth/spring-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.15

Affected versions

2.*

2.0.0.RELEASE

2.0.1.RELEASE

2.0.2.RELEASE

2.0.3.RELEASE

2.0.4.RELEASE

2.0.5.RELEASE

2.0.6.RELEASE

2.0.7.RELEASE

2.0.8.RELEASE

2.0.9.RELEASE

2.0.10.RELEASE

2.0.11.RELEASE

2.0.12.RELEASE

2.0.13.RELEASE

2.0.14.RELEASE

Maven / org.springframework.security.oauth:spring-security-oauth2

Package

Name: org.springframework.security.oauth:spring-security-oauth2; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security.oauth/spring-security-oauth2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Last affected

1.0.5

Affected versions

1.*

1.0.0.RELEASE

1.0.1.RELEASE

1.0.2.RELEASE

1.0.3.RELEASE

1.0.4.RELEASE

1.0.5.RELEASE