CVE-2018-1260
published 2018-05-11CVE-2018-1260: Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a…
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
8.35%
94.3th percentile
Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pivotal | spring_security_oauth | — | — |
| pivotal_software | spring_security_oauth | <= 2.0.14 | — |
| pivotal_software | spring_security_oauth | 2.1 – 2.1.1 | — |
| pivotal_software | spring_security_oauth | 2.2 – 2.2.1 | — |
| pivotal_software | spring_security_oauth | 2.3 – 2.3.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attack vector targets the authorization endpoint with a crafted authorization request that triggers RCE when the resource owner is forwarded to the approval endpoint ↗
- ·Affected versions: Spring Security OAuth 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15, and older unsupported versions ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Spring Security OAuth vulnerable to remote code execution (RCE)
ghsa·2018-10-18
CVE-2018-1260 [CRITICAL] CWE-94 Spring Security OAuth vulnerable to remote code execution (RCE)
Spring Security OAuth vulnerable to remote code execution (RCE)
Spring Security OAuth versions prior to 2.3.3, prior to 2.2.2, prior to 2.1.2, and prior to 2.0.15 contain a remote code execution vulnerability. An attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.
OSV
Spring Security OAuth vulnerable to remote code execution (RCE)
osv·2018-10-18
CVE-2018-1260 [CRITICAL] Spring Security OAuth vulnerable to remote code execution (RCE)
Spring Security OAuth vulnerable to remote code execution (RCE)
Spring Security OAuth versions prior to 2.3.3, prior to 2.2.2, prior to 2.1.2, and prior to 2.0.15 contain a remote code execution vulnerability. An attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.
Red Hat
spring-security-oauth: remote code execution in the authorization process
vendor_redhat·2018-05-09·CVSS 9.8
CVE-2018-1260 [CRITICAL] CWE-267 spring-security-oauth: remote code execution in the authorization process
spring-security-oauth: remote code execution in the authorization process
Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.
Package: spring-security-oauth (Red Hat JBoss Fuse Integration Service 2) - Affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process
bugzilla·2018-05-30·CVSS 9.8
CVE-2018-1260 [CRITICAL] CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process
CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process
A flaw was found in Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.
References:
https://pivotal.io/security/cve-2018-1260
Discussion:
Shouldn't this be marked as critical as that's how the Pivotal CVE is classified?
---
This issue has been addressed in the following products:
Red Hat Openshift Application Runtimes (text-only advisories)
Via RHSA-2018:1809 https:
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://www.securityfocus.com/bid/104158https://access.redhat.com/errata/RHSA-2018:1809https://access.redhat.com/errata/RHSA-2018:2939https://pivotal.io/security/cve-2018-1260http://www.securityfocus.com/bid/104158https://access.redhat.com/errata/RHSA-2018:1809https://access.redhat.com/errata/RHSA-2018:2939https://pivotal.io/security/cve-2018-1260
2018-05-11
Published