GHSA-rrpm-pj7p-7j9q

Suggest an improvement
Source
https://github.com/advisories/GHSA-rrpm-pj7p-7j9q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rrpm-pj7p-7j9q/GHSA-rrpm-pj7p-7j9q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rrpm-pj7p-7j9q
Aliases
Published
2018-10-18T18:05:34Z
Modified
2024-05-14T18:00:44.739272Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Spring Security OAuth vulnerable to remote code execution (RCE)
Details

Spring Security OAuth versions prior to 2.3.3, prior to 2.2.2, prior to 2.1.2, and prior to 2.0.15 contain a remote code execution vulnerability. An attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.

References

Affected packages

Maven / org.springframework.security.oauth:spring-security-oauth2

Package

Name
org.springframework.security.oauth:spring-security-oauth2
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security.oauth/spring-security-oauth2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.3

Affected versions

2.*

2.3.0.RELEASE
2.3.1.RELEASE
2.3.2.RELEASE

Maven / org.springframework.security.oauth:spring-security-oauth2

Package

Name
org.springframework.security.oauth:spring-security-oauth2
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security.oauth/spring-security-oauth2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.2

Affected versions

2.*

2.2.0.RELEASE
2.2.1.RELEASE

Maven / org.springframework.security.oauth:spring-security-oauth2

Package

Name
org.springframework.security.oauth:spring-security-oauth2
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security.oauth/spring-security-oauth2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.2

Affected versions

2.*

2.1.0.RELEASE
2.1.1.RELEASE

Maven / org.springframework.security.oauth:spring-security-oauth2

Package

Name
org.springframework.security.oauth:spring-security-oauth2
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security.oauth/spring-security-oauth2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.15

Affected versions

2.*

2.0.0.RELEASE
2.0.1.RELEASE
2.0.2.RELEASE
2.0.3.RELEASE
2.0.4.RELEASE
2.0.5.RELEASE
2.0.6.RELEASE
2.0.7.RELEASE
2.0.8.RELEASE
2.0.9.RELEASE
2.0.10.RELEASE
2.0.11.RELEASE
2.0.12.RELEASE
2.0.13.RELEASE
2.0.14.RELEASE

Maven / org.springframework.security.oauth:spring-security-oauth2

Package

Name
org.springframework.security.oauth:spring-security-oauth2
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security.oauth/spring-security-oauth2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Last affected
1.0.5

Affected versions

1.*

1.0.0.RELEASE
1.0.1.RELEASE
1.0.2.RELEASE
1.0.3.RELEASE
1.0.4.RELEASE
1.0.5.RELEASE