Home

CVE-2019-3778

Description

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).

Risk Information

Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score
Exploitation Probability
14.855

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2019-3778 are fixed in Spring-security-oauth2 2.0.17Windows
Vulnerabilities CVE-2019-3778 are fixed in Spring-security-oauth2 2.1.4Windows
Vulnerabilities CVE-2019-3778 are fixed in Spring-security-oauth2 2.2.4Windows
Vulnerabilities CVE-2019-3778 are fixed in Spring-security-oauth2 2.3.5Windows
Vulnerabilities CVE-2019-3778 are fixed in spring-security-oauth 2.0.17Windows
Vulnerabilities CVE-2019-3778 are fixed in spring-security-oauth 2.1.4Windows
Vulnerabilities CVE-2019-3778 are fixed in spring-security-oauth 2.2.4Windows
Vulnerabilities CVE-2019-3778 are fixed in spring-security-oauth 2.3.5Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.1Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.0Windows
Vulnerabilities CVE-2019-3778 are fixed in Spring-security-oauth2 for Linux 2.0.17Linux
Vulnerabilities CVE-2019-3778 are fixed in Spring-security-oauth2 for Linux 2.1.4Linux
Vulnerabilities CVE-2019-3778 are fixed in Spring-security-oauth2 for Linux 2.2.4Linux
Vulnerabilities CVE-2019-3778 are fixed in Spring-security-oauth2 for Linux 2.3.5Linux
Vulnerabilities CVE-2019-3778 are fixed in spring-security-oauth for Linux 2.0.17Linux
Vulnerabilities CVE-2019-3778 are fixed in spring-security-oauth for Linux 2.1.4Linux
Vulnerabilities CVE-2019-3778 are fixed in spring-security-oauth for Linux 2.2.4Linux
Vulnerabilities CVE-2019-3778 are fixed in spring-security-oauth for Linux 2.3.5Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234