Description

Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only.

Affected Spring Products and Versions

Spring Security OAuth
- 2.5.x prior to 2.5.2
- Older, unsupported versions

Mitigation

Users of affected versions should upgrade to the following versions:

Spring Security OAuth
- 2.5.2+

Credit

This issue was identified and responsibly reported by Macchinetta/TERASOLUNA Framework Development Team.

History

2022-04-21: Initial vulnerability report published.

Reporting a vulnerability

The VMware Security Response team provides a single point of contact for the reporting of security vulnerabilities in VMware Tanzu products and coordinates the process of investigating any reported vulnerabilities.

To report a security vulnerability in a VMware service or product please refer to the VMware Security Response Policy.