CVE-2021-22119
29.06.2021, 17:15
Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.Enginsight
| Vendor | Product | Version |
|---|---|---|
| vmware | spring_security | 5.2.0 ≤ 𝑥 < 5.2.11 |
| vmware | spring_security | 5.3.0 ≤ 𝑥 < 5.3.10 |
| vmware | spring_security | 5.4.0 ≤ 𝑥 < 5.4.7 |
| vmware | spring_security | 5.5.0 ≤ 𝑥 < 5.5.1 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
𝑥
= Vulnerable software versions
Ubuntu Releases
Common Weakness Enumeration
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
- CWE-863 - Incorrect AuthorizationThe software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
References