Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJycG0tcGo3cC03ajlx
Spring Security OAuth vulnerable to remote code execution (RCE)
Spring Security OAuth versions prior to 2.3.3, prior to 2.2.2, prior to 2.1.2, and prior to 2.0.15 contain a remote code execution vulnerability. An attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.
Permalink: https://github.com/advisories/GHSA-rrpm-pj7p-7j9qJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJycG0tcGo3cC03ajlx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 5 years ago
Updated: 18 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-rrpm-pj7p-7j9q, CVE-2018-1260
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1260
- https://access.redhat.com/errata/RHSA-2018:1809
- https://access.redhat.com/errata/RHSA-2018:2939
- https://github.com/advisories/GHSA-rrpm-pj7p-7j9q
- https://pivotal.io/security/cve-2018-1260
- https://web.archive.org/web/20200227123539/http://www.securityfocus.com/bid/104158
Affected Packages
maven:org.springframework.security.oauth:spring-security-oauth2
Dependent packages: 461Dependent repositories: 9,309
Downloads:
Affected Version Ranges: >= 2.0.0, < 2.0.15, >= 2.1.0, < 2.1.2, >= 2.2.0, < 2.2.2, >= 2.3.0, < 2.3.3
Fixed in: 2.0.15, 2.1.2, 2.2.2, 2.3.3
All affected versions:
All unaffected versions: