Spring Security OAuth vulnerable to remote code execution (RCE)

2018-10-1818:05:34

Google

osv.dev

0.047 Low

EPSS

Percentile

92.7%

JSON

Spring Security OAuth versions prior to 2.3.3,prior to 2.2.2, prior to 2.1.2, and prior to 2.0.15 contain a remote code execution vulnerability. An attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.

CPENameOperatorVersion
org.springframework.security.oauth:spring-security-oauth2eq2.0.6.RELEASE
org.springframework.security.oauth:spring-security-oauth2eq2.2.0.RELEASE
org.springframework.security.oauth:spring-security-oauth2eq2.0.8.RELEASE
org.springframework.security.oauth:spring-security-oauth2eq2.3.0.RELEASE
org.springframework.security.oauth:spring-security-oauth2eq2.0.10.RELEASE
org.springframework.security.oauth:spring-security-oauth2eq2.0.1.RELEASE
org.springframework.security.oauth:spring-security-oauth2eq2.3.2.RELEASE
org.springframework.security.oauth:spring-security-oauth2eq2.1.1.RELEASE
org.springframework.security.oauth:spring-security-oauth2eq2.0.5.RELEASE
org.springframework.security.oauth:spring-security-oauth2eq2.0.14.RELEASE

Name	Operator	Version
org.springframework.security.oauth:spring-security-oauth2	eq	2.0.6.RELEASE
org.springframework.security.oauth:spring-security-oauth2	eq	2.2.0.RELEASE
org.springframework.security.oauth:spring-security-oauth2	eq	2.0.8.RELEASE
org.springframework.security.oauth:spring-security-oauth2	eq	2.3.0.RELEASE
org.springframework.security.oauth:spring-security-oauth2	eq	2.0.10.RELEASE
org.springframework.security.oauth:spring-security-oauth2	eq	2.0.1.RELEASE
org.springframework.security.oauth:spring-security-oauth2	eq	2.3.2.RELEASE
org.springframework.security.oauth:spring-security-oauth2	eq	2.1.1.RELEASE
org.springframework.security.oauth:spring-security-oauth2	eq	2.0.5.RELEASE
org.springframework.security.oauth:spring-security-oauth2	eq	2.0.14.RELEASE