Privilege Escalation

2022-11-0406:12:45

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

spring security oauth2 client

privilege escalation

gettokenresponse

access token response

0.003 Low

EPSS

Percentile

65.2%

JSON

Spring Security OAuth2 Client is vulnerable to Privilege Escalation. The vulnerability exists in the getTokenResponse function in multiple files due to the authorization server responding with an OAuth2 access token response containing an empty scope list which allows an attacker to modify requests initiated by clients.

CPENameOperatorVersion
spring-security-oauth2-clientle5.4.10
spring-security-oauth2-clientle5.6.8
spring-security-oauth2-clientle5.5.8
spring-security-oauth2-clientle5.7.4
spring-security-oauth2-clientle5.1.13.RELEASE
spring-security-oauth2-clientle5.3.13.RELEASE
spring-security-oauth2-clientle5.2.15.RELEASE
jenkinseq2.346.3.1663151230__1.el8
jenkinseq2.346.3.1661877467__3.el8
jenkinseq2.263.3.1612434510__1.el8

Name	Operator	Version
spring-security-oauth2-client	le	5.4.10
spring-security-oauth2-client	le	5.6.8
spring-security-oauth2-client	le	5.5.8
spring-security-oauth2-client	le	5.7.4
spring-security-oauth2-client	le	5.1.13.RELEASE
spring-security-oauth2-client	le	5.3.13.RELEASE
spring-security-oauth2-client	le	5.2.15.RELEASE
jenkins	eq	2.346.3.1663151230__1.el8
jenkins	eq	2.346.3.1661877467__3.el8
jenkins	eq	2.263.3.1612434510__1.el8