Fedora Account System
Red Hat Associate
Red Hat Customer
Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions. This vulnerability exposes OAuth 2.0 Client applications that use HttpSessionOAuth2AuthorizationRequestRepository (Servlet) and WebSessionOAuth2ServerAuthorizationRequestRepository (Reactive). References: https://tanzu.vmware.com/security/cve-2021-22119
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Upstream fixing commits: https://github.com/spring-projects/spring-security/commit/700bda68b7b4507899221fe6774926ce0e8d9f21 and https://github.com/spring-projects/spring-security/commit/35f5ebdbcf93aa380cd57ca5ef7d579ed53f2a71
This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22119