CVE-2018-1260: Code Injection
First published: Fri May 11 2018(Updated: )
A flaw was found in Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint. References: <a href="https://pivotal.io/security/cve-2018-1260">https://pivotal.io/security/cve-2018-1260</a>
Credit: security_alert@emc.com security_alert@emc.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/spring-security-oauth | <2.3.3 | 2.3.3 |
| redhat/spring-security-oauth | <2.2.2 | 2.2.2 |
| redhat/spring-security-oauth | <2.1.2 | 2.1.2 |
| redhat/spring-security-oauth | <2.0.15 | 2.0.15 |
| maven/org.springframework.security.oauth:spring-security-oauth2 | >=1.0.0<=1.0.5 | |
| maven/org.springframework.security.oauth:spring-security-oauth2 | >=2.0.0<2.0.15 | 2.0.15 |
| maven/org.springframework.security.oauth:spring-security-oauth2 | >=2.1.0<2.1.2 | 2.1.2 |
| maven/org.springframework.security.oauth:spring-security-oauth2 | >=2.2.0<2.2.2 | 2.2.2 |
| maven/org.springframework.security.oauth:spring-security-oauth2 | >=2.3.0<2.3.3 | 2.3.3 |
| Spring Security OAuth | <=2.0.14 | |
| Spring Security OAuth | >=2.1<=2.1.1 | |
| Spring Security OAuth | >=2.2<=2.2.1 | |
| Spring Security OAuth | >=2.3<=2.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/104158
- https://access.redhat.com/errata/RHSA-2018:1809
- https://access.redhat.com/errata/RHSA-2018:2939
- https://pivotal.io/security/cve-2018-1260
- https://goo.gl/hKpzJK
- https://bugzilla.redhat.com/show_bug.cgi?id=1584376
- https://nvd.nist.gov/vuln/detail/CVE-2018-1260
- https://github.com/advisories/GHSA-rrpm-pj7p-7j9q (Advisory)
- https://web.archive.org/web/20200227123539/http://www.securityfocus.com/bid/104158
Frequently Asked Questions
What is the severity of CVE-2018-1260?
CVE-2018-1260 is classified as a remote code execution vulnerability with a high severity rating.
How do I fix CVE-2018-1260?
To fix CVE-2018-1260, upgrade Spring Security OAuth to version 2.3.3, 2.2.2, 2.1.2, or 2.0.15 or newer.
What versions are affected by CVE-2018-1260?
CVE-2018-1260 affects Spring Security OAuth versions prior to 2.3.3, 2.2.2, 2.1.2, and 2.0.15.
Who is impacted by CVE-2018-1260?
Any organization using vulnerable versions of Spring Security OAuth is at risk of being impacted by CVE-2018-1260.
What type of vulnerability is CVE-2018-1260?
CVE-2018-1260 is a remote code execution vulnerability that allows attackers to execute arbitrary code.
- agent/type
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-1260
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/description
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rrpm-pj7p-7j9q
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/maven
- vendor/pivotal software
- canonical/spring security oauth
- version/spring security oauth/2.0.14
- version/spring security oauth/2.1
- version/spring security oauth/2.1.1
- version/spring security oauth/2.2
- version/spring security oauth/2.2.1
- version/spring security oauth/2.3
- version/spring security oauth/2.3.2