CVE-2021-22119: Denial-of-Service (DoS) attack via initiation of Authorization Request in Spring Security OAuth 2.0 Client Web and WebFlux Application

CRITICAL | JUNE 28, 2021 | CVE-2021-22119

Description

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions. This vulnerability exposes OAuth 2.0 Client applications that use HttpSessionOAuth2AuthorizationRequestRepository (Servlet) and WebSessionOAuth2ServerAuthorizationRequestRepository (Reactive).

Affected Spring Products and Versions

  • Spring Security
    • 5.5.x prior to 5.5.1
    • 5.4.x prior to 5.4.7
    • 5.3.x prior to 5.3.10
    • 5.2.x prior to 5.2.11

Mitigation

Users of affected versions should upgrade to the following versions:

  • Spring Security
    • 5.5.1
    • 5.4.7
    • 5.3.10
    • 5.2.11

Credit

This issue was identified and responsibly reported by Craig Andrews (github.com/candrews).

References

History

  • 2021-06-28: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all