CVE-2019-11269 MEDIUM

CVE-2019-11269: Open Redirector in spring-security-oauth2

Vendor Spring

Product Spring Security OAuth

Weakness CWE-601 · Open redirect

Published June 12, 2019

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

4.2/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.

Key dates

02Disclosure timeline

June 12, 2019 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-11269 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/601.html

Related vulnerabilities

Identifiers

CVE CVE-2019-11269

CWE CWE-601

CVSS 4.2 / MEDIUM

Affected versions

Vendor Spring

Product Spring Security OAuth

Affected ≥ 2.2 and < v2.2.5.RELEASE

Vendor Spring

Product Spring Security OAuth

Affected ≥ 2.1 and < v2.1.5.RELEASE

Vendor Spring

Product Spring Security OAuth

Affected ≥ 2.0 and < v2.0.18.RELEASE

Vendor Spring

Product Spring Security OAuth

Affected ≥ 2.3 and < v2.3.6.RELEASE

CVE-2019-11269: Open Redirector in spring-security-oauth2

01Description

02Disclosure timeline

03References

04Related CVE