CVE-2022-22969

CWE-400Uncontrolled Resource Consumption6 documents5 sources
Severity
6.5MEDIUM
EPSS
0.5%
top 33.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pivotal Spring Security OauthOracle Communications Design Studio
Timeline
PublishedApr 21
Latest updateJan 15

Description

Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

NVDpivotal/spring_security_oauth2.4.02.4.2+1
Mavenorg.springframework.security.oauth:spring-security-oauth22.5.0.RELEASE2.5.2.RELEASE+1
CVEListV5spring_security_oauth<affected versions> Spring Security OAuth 2.5.x prior to 2.5.2 and older unsupported versions

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
GHSA
Denial of service in Spring Security OAuth22022-04-22
OSV
Denial of service in Spring Security OAuth22022-04-22
CVEList
CVE-2022-22969: Spring Security OAuth versions 22022-04-21

📋Vendor Advisories

2
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Common (Spring Security Oauth) — CVE-2022-229692024-01-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Patch Request (Spring Security OAuth) — CVE-2022-229692022-07-15