spring-security-core-5.4.6.jar vulnerability
Issue date: 21-09-2021Affects versions: 14.6
Security Issue ID
SECURITY-249
Affected Product Version(s)
14.6.0 and previous releases.
Severity
medium
Description
Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.
CWE-863 Incorrect Authorization
CVSSv2:
- Base Score: MEDIUM (5.0)
- Vector: /AV:N/AC:L/Au:N/C:N/I:N/A
CVSSv3:
- Base Score: HIGH (7.5)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Referenced In Projects/Scopes:
-
- BrX SaaS CMS Dependencies:compile
- BrX SaaS CMS:compile
- Hippo Addon CRISP HST Tools:compile
- Starter Store Addon Dependencies for SITE:compile
- Starter Store Addon Dependencies for CMS:compile
- Hippo Addon CRISP Core:compile
- BrX SaaS Integration Tests:compile
Instructions
Customers using the 14.x major versions are recommended to upgrade to the latest version in that series.