Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.springframework.security.oauth:spring-security-oauth2(Maven) | 2.3.0 | 2.3.3 | N/A |
| org.springframework.security.oauth:spring-security-oauth2(Maven) | 2.2.0 | 2.2.2 | N/A |
| org.springframework.security.oauth:spring-security-oauth2(Maven) | 2.1.0 | 2.1.2 | N/A |
| org.springframework.security.oauth:spring-security-oauth2(Maven) | 2.0.0 | 2.0.15 | N/A |
| org.springframework.security.oauth:spring-security-oauth2(Maven) | 1.0.0 | N/A | N/A |
CVSS Metrics
