GHSA-w9jg-gvgr-354m

Source

https://github.com/advisories/GHSA-w9jg-gvgr-354m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-w9jg-gvgr-354m/GHSA-w9jg-gvgr-354m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w9jg-gvgr-354m

Aliases

CVE-2021-22119

Published

2021-07-02T18:33:34Z

Modified

2023-11-08T04:04:54.193370Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Resource Exhaustion in Spring Security

Details

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.

Database specific

{
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-400",
        "CWE-863"
    ],
    "github_reviewed_at": "2021-06-30T17:30:10Z",
    "nvd_published_at": "2021-06-29T17:15:00Z"
}

References

Affected packages

Maven

org.springframework.security:spring-security-core

Package

Name: org.springframework.security:spring-security-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.5.1

Affected versions

5.*

5.5.0

org.springframework.security:spring-security-core

Package

Name: org.springframework.security:spring-security-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.4.0

Fixed

5.4.7

Affected versions

5.*

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

org.springframework.security:spring-security-core

Package

Name: org.springframework.security:spring-security-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.3.0

Fixed

5.3.10

Affected versions

5.*

5.3.0.RELEASE

5.3.1.RELEASE

5.3.2.RELEASE

5.3.3.RELEASE

5.3.4.RELEASE

5.3.5.RELEASE

5.3.6.RELEASE

5.3.7.RELEASE

5.3.8.RELEASE

5.3.9.RELEASE

Database specific

last_known_affected_version_range

"<= 5.3.9"

org.springframework.security:spring-security-core

Package

Name: org.springframework.security:spring-security-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0

Fixed

5.2.11

Affected versions

5.*

5.2.0.RELEASE

5.2.1.RELEASE

5.2.2.RELEASE

5.2.3.RELEASE

5.2.4.RELEASE

5.2.5.RELEASE

5.2.6.RELEASE

5.2.7.RELEASE

5.2.8.RELEASE

5.2.9.RELEASE

5.2.10.RELEASE

Database specific

last_known_affected_version_range

"<= 5.2.10"

org.springframework.security:spring-security-oauth2-client

Package

Name: org.springframework.security:spring-security-oauth2-client; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-oauth2-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.5.1

Affected versions

5.*

5.5.0

org.springframework.security:spring-security-oauth2-client

Package

Name: org.springframework.security:spring-security-oauth2-client; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-oauth2-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.4.0

Fixed

5.4.7

Affected versions

5.*

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

org.springframework.security:spring-security-oauth2-client

Package

Name: org.springframework.security:spring-security-oauth2-client; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-oauth2-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.3.0

Fixed

5.3.10

Affected versions

5.*

5.3.0.RELEASE

5.3.1.RELEASE

5.3.2.RELEASE

5.3.3.RELEASE

5.3.4.RELEASE

5.3.5.RELEASE

5.3.6.RELEASE

5.3.7.RELEASE

5.3.8.RELEASE

5.3.9.RELEASE

Database specific

last_known_affected_version_range

"<= 5.3.9"

org.springframework.security:spring-security-oauth2-client

Package

Name: org.springframework.security:spring-security-oauth2-client; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-oauth2-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0

Fixed

5.2.11

Affected versions

5.*

5.2.0.RELEASE

5.2.1.RELEASE

5.2.2.RELEASE

5.2.3.RELEASE

5.2.4.RELEASE

5.2.5.RELEASE

5.2.6.RELEASE

5.2.7.RELEASE

5.2.8.RELEASE

5.2.9.RELEASE

5.2.10.RELEASE

Database specific

last_known_affected_version_range

"<= 5.2.10"