1584376 – (CVE-2018-1260) CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process

Bug 1584376 (CVE-2018-1260) - CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process

Summary: CVE-2018-1260 spring-security-oauth: remote code execution in the authorizati...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-1260
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1584382
TreeView+	depends on / blocked

Reported:	2018-05-30 18:47 UTC by Laura Pardo
Modified:	2021-10-21 20:04 UTC (History)
CC List:	2 users (show)
Fixed In Version:	spring-security-oauth 2.3.3, spring-security-oauth 2.2.2, spring-security-oauth 2.1.2, spring-security-oauth 2.0.15
Clone Of:
Environment:
Last Closed:	2021-10-21 20:04:37 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:1809	0	None	None	None	2018-06-07 08:26:11 UTC
Red Hat Product Errata	RHSA-2018:2939	0	None	None	None	2018-10-17 19:30:07 UTC

Description Laura Pardo 2018-05-30 18:47:57 UTC

A flaw was found in Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.


References:
https://pivotal.io/security/cve-2018-1260

Comment 2 claprun@redhat.com 2018-06-01 08:41:46 UTC

Shouldn't this be marked as critical as that's how the Pivotal CVE is classified?

Comment 3 errata-xmlrpc 2018-06-07 08:26:08 UTC

This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes (text-only advisories)

Via RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:1809

Comment 4 errata-xmlrpc 2018-10-17 19:30:01 UTC

This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939

Comment 5 marthasimons2 2018-10-22 11:13:00 UTC

Thanka for greate job Red Hat Fuse Intergration Services 2.0

Via RHSA-2018:2940 https://goo.gl/hKpzJK

Note You need to log in before you can comment on or make changes to this bug.