CVSS: 5.8EPSS: 6%CPEs: 7EXPL: 2CVE-2019-11269 – Open Redirector in spring-security-oauth2
https://notcve.org/view.php?id=CVE-2019-11269
12 Jun 2019 — Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-a... • https://packetstorm.news/files/id/153299 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 20%CPEs: 7EXPL: 3CVE-2019-3778 – Open Redirect in spring-security-oauth2
https://notcve.org/view.php?id=CVE-2019-3778
07 Mar 2019 — Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner us... • https://packetstorm.news/files/id/153299 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.6EPSS: 0%CPEs: 5EXPL: 0CVE-2018-15758 – Privilege Escalation in spring-security-oauth2
https://notcve.org/view.php?id=CVE-2018-15758
18 Oct 2018 — Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval endpoint that can modify the previously saved authorization request and lead to a privilege escalation on the subsequent approval. This scenario can happen if the application is configured to use a custom approval endp... • http://www.securityfocus.com/bid/105687 • CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 51%CPEs: 4EXPL: 0CVE-2018-1260 – spring-security-oauth: remote code execution in the authorization process
https://notcve.org/view.php?id=CVE-2018-1260
11 May 2018 — Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint. Spring Security OAuth, en versiones 2.3 anteriores a la 2.3.3, versiones 2.2 anteriores a la 2.2.2, versiones 2.1 anteriores ... • http://www.securityfocus.com/bid/104158 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-267: Privilege Defined With Unsafe Actions •
CVSS: 8.8EPSS: 94%CPEs: 16EXPL: 2CVE-2016-4977
https://notcve.org/view.php?id=CVE-2016-4977
25 May 2017 — When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type. Cuando se procesan las peticiones de autorización usando las vistas whitelabel en Spring Security OAuth versiones 2.0.0 hasta 2.0.9 y versiones 1.0.0 hasta 1.0.5, el valor del parámetro response_type fue ejecuta... • https://github.com/N0b1e6/CVE-2016-4977-POC • CWE-19: Data Processing Errors •