Bugzilla will be offline for an upgrade to version 5.0 and migration to new hardware starting at 23:00 UTC, 2018-09-07. The outage is expected to last 12 hours. Additional information about the upgrade can be found here
First Last Prev Next    This bug is not in your last search results.
Bug 1305443 - (CVE-2015-5258) CVE-2015-5258 springframework-social: CSRF vulnerability when authorizing an app against OAuth 2 API provider
CVE-2015-5258 springframework-social: CSRF vulnerability when authorizing an...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151112,repor...
: Security
Depends On: 1305445
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-08 04:38 EST by Adam Mariš
Modified: 2016-03-03 04:53 EST (History)
1 user (show)

See Also:
Fixed In Version: springframework-social 1.1.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Mariš 2016-02-08 04:38:57 EST 
It was found that when authorizing an application against an OAuth 2 API provider, Spring Social is vulnerable to a Cross-Site Request Forgery (CSRF) attack. The attack involves a malicious user beginning an OAuth 2 authorization flow using a fake account with an OAuth 2 API provider, but completing it by tricking the victim into visiting the callback request in their browser. As a consequence, the attacker will have access to the victim's account on the vulnerable site by way of the fake provider account.

External Reference:

https://blog.srcclr.com/spring-social-core-vulnerability-disclosure/
Comment 1 Adam Mariš 2016-02-08 04:39:18 EST 
Created springframework-social tracking bugs for this issue:

Affects: fedora-23 [bug 1305445]
Comment 2 gil cattaneo 2016-02-08 09:30:20 EST 
I cant update to 1.1.3, because newer release required SpringFramework >= 4.0.6.RELEASE. This is not updatable, it breaks compatible with many packages
Comment 3 Fedora Update System 2016-02-17 09:20:59 EST 
springframework-social-1.0.3-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.