Open Redirect Affecting org.springframework.security.oauth:spring-security-oauth2 package, versions [2.3.0.RELEASE,2.3.6.RELEASE) [2.2.0.RELEASE,2.2.5.RELEASE) [2.1.0.RELEASE,2.1.5.RELEASE) [2.0.0.RELEASE, 2.0.18.RELEASE)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITYOAUTH-174830
- published 30 May 2019
- disclosed 30 May 2019
- credit Mike Noordermeer
Introduced: 30 May 2019
CVE-2019-11269 Open this link in a new tabHow to fix?
Upgrade org.springframework.security.oauth:spring-security-oauth2 to version 2.3.6.RELEASE, 2.2.5.RELEASE, 2.1.5.RELEASE, 2.0.18.RELEASE or higher.
Overview
org.springframework.security.oauth:spring-security-oauth2 is a package that provides support for using Spring Security with OAuth (1a) and OAuth2.
Affected versions of this package are vulnerable to Open Redirect. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements:
- Act in the role of an
AuthorizationServer (e.g.@EnableAuthorizationServer) - Uses the
DefaultRedirectResolverin the AuthorizationEndpoint