GHSA-w9jg-gvgr-354m

Suggest an improvement
Source
https://github.com/advisories/GHSA-w9jg-gvgr-354m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-w9jg-gvgr-354m/GHSA-w9jg-gvgr-354m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w9jg-gvgr-354m
Aliases
Published
2021-07-02T18:33:34Z
Modified
2023-11-08T04:04:54.193370Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Resource Exhaustion in Spring Security
Details

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.

References

Affected packages

Maven / org.springframework.security:spring-security-core

Package

Name
org.springframework.security:spring-security-core
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.5.1

Affected versions

5.*

5.5.0

Maven / org.springframework.security:spring-security-core

Package

Name
org.springframework.security:spring-security-core
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.4.0
Fixed
5.4.7

Affected versions

5.*

5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6

Maven / org.springframework.security:spring-security-core

Package

Name
org.springframework.security:spring-security-core
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.3.0
Fixed
5.3.10

Affected versions

5.*

5.3.0.RELEASE
5.3.1.RELEASE
5.3.2.RELEASE
5.3.3.RELEASE
5.3.4.RELEASE
5.3.5.RELEASE
5.3.6.RELEASE
5.3.7.RELEASE
5.3.8.RELEASE
5.3.9.RELEASE

Database specific

{
    "last_known_affected_version_range": "<= 5.3.9"
}

Maven / org.springframework.security:spring-security-core

Package

Name
org.springframework.security:spring-security-core
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.2.0
Fixed
5.2.11

Affected versions

5.*

5.2.0.RELEASE
5.2.1.RELEASE
5.2.2.RELEASE
5.2.3.RELEASE
5.2.4.RELEASE
5.2.5.RELEASE
5.2.6.RELEASE
5.2.7.RELEASE
5.2.8.RELEASE
5.2.9.RELEASE
5.2.10.RELEASE

Database specific

{
    "last_known_affected_version_range": "<= 5.2.10"
}

Maven / org.springframework.security:spring-security-oauth2-client

Package

Name
org.springframework.security:spring-security-oauth2-client
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-oauth2-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.5.1

Affected versions

5.*

5.5.0

Maven / org.springframework.security:spring-security-oauth2-client

Package

Name
org.springframework.security:spring-security-oauth2-client
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-oauth2-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.4.0
Fixed
5.4.7

Affected versions

5.*

5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6

Maven / org.springframework.security:spring-security-oauth2-client

Package

Name
org.springframework.security:spring-security-oauth2-client
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-oauth2-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.3.0
Fixed
5.3.10

Affected versions

5.*

5.3.0.RELEASE
5.3.1.RELEASE
5.3.2.RELEASE
5.3.3.RELEASE
5.3.4.RELEASE
5.3.5.RELEASE
5.3.6.RELEASE
5.3.7.RELEASE
5.3.8.RELEASE
5.3.9.RELEASE

Database specific

{
    "last_known_affected_version_range": "<= 5.3.9"
}

Maven / org.springframework.security:spring-security-oauth2-client

Package

Name
org.springframework.security:spring-security-oauth2-client
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-oauth2-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.2.0
Fixed
5.2.11

Affected versions

5.*

5.2.0.RELEASE
5.2.1.RELEASE
5.2.2.RELEASE
5.2.3.RELEASE
5.2.4.RELEASE
5.2.5.RELEASE
5.2.6.RELEASE
5.2.7.RELEASE
5.2.8.RELEASE
5.2.9.RELEASE
5.2.10.RELEASE

Database specific

{
    "last_known_affected_version_range": "<= 5.2.10"
}