CVE-2018-1260

CWE-94 — Code Injection CWE-2676 documents6 sources

Severity

9.8CRITICAL

EPSS

50.3%

top 2.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Software Spring Security Oauth Pivotal Spring Security Oauth

Timeline

PublishedMay 11

Latest updateOct 18

Description

Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.springframework.security.oauth:spring-security-oauth22.3.0 — 2.3.3+4

▶NVDpivotal_software/spring_security_oauth2.1 — 2.1.1+3

▶CVEListV5pivotal/spring_security_oauth2.3 prior to 2.3.3; 2.2 prior to 2.2.2; 2.1 prior to 2.1.2; 2.0 prior to 2.0.15

🔴Vulnerability Details

GHSA

Spring Security OAuth vulnerable to remote code execution (RCE)↗2018-10-18

▶

OSV

Spring Security OAuth vulnerable to remote code execution (RCE)↗2018-10-18

▶

CVEList

CVE-2018-1260: Spring Security OAuth, versions 2↗2018-05-11

▶

📋Vendor Advisories

Red Hat

spring-security-oauth: remote code execution in the authorization process↗2018-05-09

▶

💬Community

Bugzilla

CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process↗2018-05-30

▶