CVE-2021-22119: Input Validation
First published: Mon Jun 28 2021(Updated: )
Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.
Credit: security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Vmware Spring Security | >=5.2.0<5.2.11 | |
| Vmware Spring Security | >=5.3.0<5.3.10 | |
| Vmware Spring Security | >=5.4.0<5.4.7 | |
| Vmware Spring Security | >=5.5.0<5.5.1 | |
| Oracle Communications Cloud Native Core Policy | =1.14.0 | |
| IBM DRM | <=2.0.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-22119 https://nvd.nist.gov/vuln/detail/CVE-2021-22119
- https://bugzilla.redhat.com/show_bug.cgi?id=1977064
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/security/cve/cve-2021-22119
- https://exchange.xforce.ibmcloud.com/vulnerabilities/204656
- https://www.ibm.com/support/pages/node/6497499 (Advisory)
- https://lists.apache.org/thread.html/r08a449010786e0bcffa4b5781b04fcb55d6eafa62cb79b8347680aad@%3Cissues.nifi.apache.org%3E
- https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14@%3Cpluto-dev.portals.apache.org%3E
- https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3@%3Cpluto-dev.portals.apache.org%3E
- https://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde@%3Cpluto-dev.portals.apache.org%3E
- https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f@%3Cpluto-dev.portals.apache.org%3E
- https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3E
- https://tanzu.vmware.com/security/cve-2021-22119
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://github.com/spring-projects/spring-security/commit/700bda68b7b4507899221fe6774926ce0e8d9f21
- https://github.com/spring-projects/spring-security/commit/35f5ebdbcf93aa380cd57ca5ef7d579ed53f2a71
- https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14%40%3Cpluto-dev.portals.apache.org%3E
- https://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde%40%3Cpluto-dev.portals.apache.org%3E
- https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3%40%3Cpluto-dev.portals.apache.org%3E
- https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f%40%3Cpluto-dev.portals.apache.org%3E
- https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc%40%3Cpluto-scm.portals.apache.org%3E
- https://lists.apache.org/thread.html/r08a449010786e0bcffa4b5781b04fcb55d6eafa62cb79b8347680aad%40%3Cissues.nifi.apache.org%3E
Frequently Asked Questions
What is CVE-2021-22119?
CVE-2021-22119 is a vulnerability in Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10, and 5.2.x prior to 5.2.11 that allows for a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application.
How severe is CVE-2021-22119?
CVE-2021-22119 is considered to be a high severity vulnerability with a severity value of 7.
Which software versions are affected by CVE-2021-22119?
Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10, and 5.2.x prior to 5.2.11 are affected by CVE-2021-22119.
How can I fix CVE-2021-22119?
To fix CVE-2021-22119, update your Spring Security version to 5.5.1, 5.4.7, 5.3.10, or 5.2.11 depending on the version you are currently using.
Where can I find more information about CVE-2021-22119?
You can find more information about CVE-2021-22119 at the following references: [CVE-2021-22119](https://www.cve.org/CVERecord?id=CVE-2021-22119), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-22119), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1977064), [Red Hat Advisory](https://access.redhat.com/errata/RHSA-2022:5532).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-22119
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/description
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- vendor/vmware
- canonical/vmware spring security
- version/vmware spring security/5.2.0
- version/vmware spring security/5.3.0
- version/vmware spring security/5.4.0
- version/vmware spring security/5.5.0
- vendor/oracle
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- package-manager/redhat
- vendor/ibm
- canonical/ibm drm
- version/ibm drm/2.0.6