UBUNTU-CVE-2024-22258

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-22258

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-22258.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-22258

Upstream

CVE-2024-22258

Published

2024-03-20T04:15:00Z

Modified

2026-05-20T16:16:34.432328241Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An application is not vulnerable when a Public Client uses PKCE for the Authorization Code Grant.

References

Affected packages

Ubuntu:16.04:LTS

spring

Package

Name: spring
Purl: pkg:deb/ubuntu/spring?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

100.*

100.0+dfsg-2

100.0+dfsg-2build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "100.0+dfsg-2build1"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "100.0+dfsg-2build1"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "100.0+dfsg-2build1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-22258.json"

Ubuntu:18.04:LTS

spring

Package

Name: spring
Purl: pkg:deb/ubuntu/spring?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

103.*

103.0+dfsg2-1

103.0+dfsg2-1build1

104.*

104.0+dfsg-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "104.0+dfsg-2"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "104.0+dfsg-2"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "104.0+dfsg-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-22258.json"

Ubuntu:20.04:LTS

spring

Package

Name: spring
Purl: pkg:deb/ubuntu/spring?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

104.*

104.0+dfsg-3build2

104.0+dfsg-4ubuntu1

104.0+dfsg-4ubuntu2

104.0+dfsg-4ubuntu5

104.0+dfsg-4ubuntu6

104.0+dfsg-4ubuntu7

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "104.0+dfsg-4ubuntu7"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "104.0+dfsg-4ubuntu7"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "104.0+dfsg-4ubuntu7"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-22258.json"

Ubuntu:22.04:LTS

spring

Package

Name: spring
Purl: pkg:deb/ubuntu/spring?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

105.*

105.0.1+dfsg-2

105.0.1+dfsg-3ubuntu1

105.0.1+dfsg-3ubuntu2

105.0.1+dfsg-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "105.0.1+dfsg-4"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "105.0.1+dfsg-4"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "105.0.1+dfsg-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-22258.json"

Ubuntu:24.04:LTS

spring

Package

Name: spring
Purl: pkg:deb/ubuntu/spring?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

106.*

106.0+dfsg-2

106.0+dfsg-3

106.0+dfsg-3build2

106.0+dfsg-3build3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "106.0+dfsg-3build3"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "106.0+dfsg-3build3"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "106.0+dfsg-3build3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-22258.json"

Ubuntu:25.10

spring

Package

Name: spring
Purl: pkg:deb/ubuntu/spring?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

106.*

106.0+dfsg-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "106.0+dfsg-4"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "106.0+dfsg-4"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "106.0+dfsg-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-22258.json"

Ubuntu:26.04:LTS

spring

Package

Name: spring
Purl: pkg:deb/ubuntu/spring?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

106.*

106.0+dfsg-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "spring",
            "binary_version": "106.0+dfsg-4"
        },
        {
            "binary_name": "spring-common",
            "binary_version": "106.0+dfsg-4"
        },
        {
            "binary_name": "spring-javaai",
            "binary_version": "106.0+dfsg-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-22258.json"