CVE-2018-1260
CRITICAL9.8EPSS 52.3%Spring Security OAuth vulnerable to remote code execution (RCE)
Published: 10/18/2018Modified: 5/14/2024
Description
Spring Security OAuth versions prior to 2.3.3, prior to 2.2.2, prior to 2.1.2, and prior to 2.0.15 contain a remote code execution vulnerability. An attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.
Affected packages (1)
- Maven/org.springframework.security.oauth:spring-security-oauth2>= 2.3.0, < 2.3.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-rrpm-pj7p-7j9q
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-1260
- PATCHhttps://github.com/spring-attic/spring-security-oauth
- WEBhttps://access.redhat.com/errata/RHSA-2018:1809
- WEBhttps://access.redhat.com/errata/RHSA-2018:2939
- WEBhttps://pivotal.io/security/cve-2018-1260
- WEBhttps://web.archive.org/web/20200227123539/http://www.securityfocus.com/bid/104158