CVE-2021-22119

CWE-400Uncontrolled Resource ConsumptionCWE-863Incorrect Authorization7 documents6 sources
Severity
7.5HIGH
EPSS
4.9%
top 10.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Vmware Spring SecurityOracle Communications Cloud Native Core Policy
Timeline
PublishedJun 29
Latest updateJul 15

Description

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDvmware/spring_security5.2.05.2.11+3
CVEListV5spring_securitySpring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
GHSA
Resource Exhaustion in Spring Security2021-07-02
OSV
Resource Exhaustion in Spring Security2021-07-02
CVEList
CVE-2021-22119: Spring Security versions 52021-06-29

📋Vendor Advisories

3
Oracle
Oracle Oracle Communications Risk Matrix: NRF (Spring Security) — CVE-2021-221192022-07-15
Oracle
Oracle Oracle Communications Risk Matrix: Policy (Spring Security) — CVE-2021-221192022-01-15
Red Hat
spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request2021-06-28
CVE-2021-22119 (HIGH CVSS 7.5) | Spring Security versions 5.5.x prio | cvebase.io