Lucene search

[email protected]CVE-2021-22119

HistoryJun 29, 2021 - 5:15 p.m.

CVE-2021-22119

2021-06-2917:15:00

CWE-863

[email protected]

web.nvd.nist.gov

cve-2021-22119

spring security

dos

denial-of-service

oauth 2.0

client

web

webflux

authorization request

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.4 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.006 Low

EPSS

Percentile

77.3%

JSON

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.

CPENameOperatorVersion
vmware:spring_securityvmware spring securitylt5.5.1
vmware:spring_securityvmware spring securitylt5.4.7
vmware:spring_securityvmware spring securitylt5.2.11
vmware:spring_securityvmware spring securitylt5.3.10
oracle:communications_cloud_native_core_policyoracle communications cloud native core policyeq1.14.0

CPE	Name	Operator	Version
vmware:spring_security	vmware spring security	lt	5.5.1
vmware:spring_security	vmware spring security	lt	5.4.7
vmware:spring_security	vmware spring security	lt	5.2.11
vmware:spring_security	vmware spring security	lt	5.3.10
oracle:communications_cloud_native_core_policy	oracle communications cloud native core policy	eq	1.14.0