CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
9.0%
Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients.
Specifically, an application is vulnerable when a Confidential Clientย uses PKCE for the Authorization Code Grant.
An application is not vulnerable when a Public Clientย uses PKCE for the Authorization Code Grant.
[
{
"defaultStatus": "affected",
"packageName": "Spring Authorization Server",
"product": "Spring",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.6",
"status": "affected",
"version": "1.0.x",
"versionType": "enterprise support only"
},
{
"lessThan": "1.1.6",
"status": "affected",
"version": "1.1.x",
"versionType": "oss"
},
{
"lessThan": "1.2.3",
"status": "affected",
"version": "1.2.x\t",
"versionType": "oss"
}
]
}
]