CVE-2018-1260: Code Injection
First published: Fri May 11 2018(Updated: )
A flaw was found in Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint. References: <a href="https://pivotal.io/security/cve-2018-1260">https://pivotal.io/security/cve-2018-1260</a>
Credit: security_alert@emc.com security_alert@emc.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/spring-security-oauth | <2.3.3 | 2.3.3 |
| redhat/spring-security-oauth | <2.2.2 | 2.2.2 |
| redhat/spring-security-oauth | <2.1.2 | 2.1.2 |
| redhat/spring-security-oauth | <2.0.15 | 2.0.15 |
| maven/org.springframework.security.oauth:spring-security-oauth2 | >=2.0.0<2.0.15 | 2.0.15 |
| maven/org.springframework.security.oauth:spring-security-oauth2 | >=2.1.0<2.1.2 | 2.1.2 |
| maven/org.springframework.security.oauth:spring-security-oauth2 | >=2.2.0<2.2.2 | 2.2.2 |
| maven/org.springframework.security.oauth:spring-security-oauth2 | >=2.3.0<2.3.3 | 2.3.3 |
| Pivotal Software Spring Security Oauth | <=2.0.14 | |
| Pivotal Software Spring Security Oauth | >=2.1<=2.1.1 | |
| Pivotal Software Spring Security Oauth | >=2.2<=2.2.1 | |
| Pivotal Software Spring Security Oauth | >=2.3<=2.3.2 | |
| maven/org.springframework.security.oauth:spring-security-oauth2 | >=1.0.0<=1.0.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/104158
- https://access.redhat.com/errata/RHSA-2018:1809
- https://access.redhat.com/errata/RHSA-2018:2939
- https://pivotal.io/security/cve-2018-1260
- https://goo.gl/hKpzJK
- https://bugzilla.redhat.com/show_bug.cgi?id=1584376
- https://nvd.nist.gov/vuln/detail/CVE-2018-1260
- https://github.com/advisories/GHSA-rrpm-pj7p-7j9q (Advisory)
- https://web.archive.org/web/20200227123539/http://www.securityfocus.com/bid/104158
- agent/type
- agent/first-publish-date
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-1260
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/description
- agent/author
- agent/event
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/tags
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rrpm-pj7p-7j9q
- agent/last-modified-date
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/pivotal software
- canonical/pivotal software spring security oauth
- version/pivotal software spring security oauth/2.0.14
- version/pivotal software spring security oauth/2.1
- version/pivotal software spring security oauth/2.1.1
- version/pivotal software spring security oauth/2.2
- version/pivotal software spring security oauth/2.2.1
- version/pivotal software spring security oauth/2.3
- version/pivotal software spring security oauth/2.3.2
- package-manager/maven