Bug 1584376 (CVE-2018-1260) - CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process
Summary: CVE-2018-1260 spring-security-oauth: remote code execution in the authorizati...
Status: NEW
Alias: CVE-2018-1260
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20180509,repo...
Keywords: Security
Depends On:
Blocks: 1584382
TreeView+ depends on / blocked
 
Reported: 2018-05-30 18:47 UTC by Laura Pardo
Modified: 2019-03-18 10:33 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1809 None None None 2018-06-07 08:26 UTC
Red Hat Product Errata RHSA-2018:2939 None None None 2018-10-17 19:30 UTC

Description Laura Pardo 2018-05-30 18:47:57 UTC
A flaw was found in Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.


References:
https://pivotal.io/security/cve-2018-1260

Comment 2 claprun@redhat.com 2018-06-01 08:41:46 UTC
Shouldn't this be marked as critical as that's how the Pivotal CVE is classified?

Comment 3 errata-xmlrpc 2018-06-07 08:26:08 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes (text-only advisories)

Via RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:1809

Comment 4 errata-xmlrpc 2018-10-17 19:30:01 UTC
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939

Comment 5 marthasimons2 2018-10-22 11:13:00 UTC
Thanka for greate job Red Hat Fuse Intergration Services 2.0

Via RHSA-2018:2940 https://goo.gl/hKpzJK


Note You need to log in before you can comment on or make changes to this bug.