CVE-2021-22119: Denial-of-Service (DoS) attack via initiation of Authorization Request in Spring Security OAuth 2.0 Client Web and WebFlux Application

CRITICAL | JUNE 28, 2021 | CVE-2021-22119

Description

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions. This vulnerability exposes OAuth 2.0 Client applications that use HttpSessionOAuth2AuthorizationRequestRepository (Servlet) and WebSessionOAuth2ServerAuthorizationRequestRepository (Reactive).

Affected Spring Products and Versions

Spring Security
- 5.5.x prior to 5.5.1
- 5.4.x prior to 5.4.7
- 5.3.x prior to 5.3.10
- 5.2.x prior to 5.2.11

Mitigation

Users of affected versions should upgrade to the following versions:

Spring Security
- 5.5.1
- 5.4.7
- 5.3.10
- 5.2.11

Credit

This issue was identified and responsibly reported by Craig Andrews (github.com/candrews).

History

2021-06-28: Initial vulnerability report published.

Reporting a vulnerability

The VMware Security Response team provides a single point of contact for the reporting of security vulnerabilities in VMware Tanzu products and coordinates the process of investigating any reported vulnerabilities.

To report a security vulnerability in a VMware service or product please refer to the VMware Security Response Policy.