CVE-2019-11269 Information

Description

Spring Security OAuth versions 2.3 prior to 2.3.6 2.2 prior to 2.2.5 2.1 prior to 2.1.5 and 2.0 prior to 2.0.18 as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Reference

http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html https://pivotal.io/security/cve-2019-11269

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4