5 matches found
com.microsoft.azure:azure-active-directory-b2c-spring-boot-starter (>=2.1.4.M1 <=2.1.6.M2), com.sap.cloud.security.xsuaa:spring-xsuaa (>=1.1.0 <=2.1.0) +4 more potentially affected by CVE-2018-15801 via org.springframework.security:spring-security-oauth2-jose (>=5.1.10.RELEASE <=5.1.1.RELEASE)
org.springframework.security:spring-security-oauth2-jose MAVEN version =5.1.10.RELEASE, =2.1.4.M1, =1.1.0, =1.2.0, =1.2.0, =2.1.0.RELEASE, =2.1.0.RELEASE, =2.1.18.RELEASE Source cves: CVE-2018-15801 Source advisory: OSV:GHSA-27XW-P8V6-9JJR...
CVE-2018-15801
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWT...
CVE-2018-15801
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWT...
CVE-2018-15801
CVE-2018-15801 affects Spring Security versions 5.1.x prior to 5.1.2, where an authorization bypass can occur during JWT issuer validation. For exploitation, the same private key must be used by an honest issuer and a malicious user when signing JWTs; a attacker could craft signed tokens with a m...
CVE-2018-15801 Authorization Bypass During JWT Issuer Validation with spring-security
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWT...