CVE-2018-1260 — Spring Security OAuth vulnerable to remote code execution (RCE)

Description

Spring Security OAuth versions prior to 2.3.3, prior to 2.2.2, prior to 2.1.2, and prior to 2.0.15 contain a remote code execution vulnerability. An attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.

How to fix CVE-2018-1260

To remediate CVE-2018-1260, upgrade the affected package to a fixed version below.

—upgrade to 2.3.3 or later

Is CVE-2018-1260 being exploited?

Likely — EPSS is 52.3%, placing CVE-2018-1260 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 2.3.0, < 2.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYgithub.com/advisories/GHSA-rrpm-pj7p-7j9q
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1260
PATCHgithub.com/spring-attic/spring-security-oauth
WEBaccess.redhat.com/errata/RHSA-2018:1809
WEB