CVE-2019-3778 (GCVE-0-2019-3778)

Vulnerability from cvelistv5 – Published: 2019-03-07 19:00 – Updated: 2024-09-16 20:57
VLAI?
Summary
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
Spring Spring Security OAuth Affected: 2.3 , < 2.3.5.RELEASE (custom)
Affected: 2.0 , < 2.0.17.RELEASE (custom)
Affected: 2.1 , < 2.1.4.RELEASE (custom)
Affected: 2.2 , < 2.2.4.RELEASE (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:19:18.342Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "107153",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/107153"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://pivotal.io/security/cve-2019-3778"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Spring Security OAuth",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "2.3.5.RELEASE",
              "status": "affected",
              "version": "2.3",
              "versionType": "custom"
            },
            {
              "lessThan": "2.0.17.RELEASE",
              "status": "affected",
              "version": "2.0",
              "versionType": "custom"
            },
            {
              "lessThan": "2.1.4.RELEASE",
              "status": "affected",
              "version": "2.1",
              "versionType": "custom"
            },
            {
              "lessThan": "2.2.4.RELEASE",
              "status": "affected",
              "version": "2.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2019-02-21T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the \"redirect_uri\" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: Open Redirect",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-20T14:42:02",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "107153",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/107153"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://pivotal.io/security/cve-2019-3778"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Open Redirect in spring-security-oauth2",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@dell.com",
          "DATE_PUBLIC": "2019-02-21T00:00:00.000Z",
          "ID": "CVE-2019-3778",
          "STATE": "PUBLIC",
          "TITLE": "Open Redirect in spring-security-oauth2"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Spring Security OAuth",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "2.3",
                            "version_value": "2.3.5.RELEASE"
                          },
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "2.0",
                            "version_value": "2.0.17.RELEASE"
                          },
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "2.1",
                            "version_value": "2.1.4.RELEASE"
                          },
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "2.2",
                            "version_value": "2.2.4.RELEASE"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Spring"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the \"redirect_uri\" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient)."
            }
          ]
        },
        "impact": null,
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-601: Open Redirect"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "107153",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/107153"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html"
            },
            {
              "name": "https://pivotal.io/security/cve-2019-3778",
              "refsource": "CONFIRM",
              "url": "https://pivotal.io/security/cve-2019-3778"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2019-3778",
    "datePublished": "2019-03-07T19:00:00Z",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-09-16T20:57:23.699Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.0.0\", \"versionEndExcluding\": \"2.0.17\", \"matchCriteriaId\": \"B789A3FA-A33E-49F9-BAA9-85F788F5E055\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.1.0\", \"versionEndExcluding\": \"2.1.4\", \"matchCriteriaId\": \"BE8265A8-ED88-4A63-B9CC-A97C4452C4AC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.2.0\", \"versionEndExcluding\": \"2.2.4\", \"matchCriteriaId\": \"9ACA5453-791C-4468-8A98-643706D2A098\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.3.0\", \"versionEndExcluding\": \"2.3.5\", \"matchCriteriaId\": \"3E128057-775F-4540-846D-9E482708741C\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_corporate_lending:14.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E17A81A3-8B4A-437F-8A7E-FE336A6567AD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_corporate_lending:14.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B0315C0A-1C45-42EA-A132-83AF9B889AE6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_corporate_lending:14.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EE9BBBFD-9FBD-47FA-AC5C-278A4382C344\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the \\\"redirect_uri\\\" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).\"}, {\"lang\": \"es\", \"value\": \"Spring Security OAuth, en la versiones 2.3 anteriores a la 2.3.5, en las 2.2 anteriores a las 2.2.4, en las 2.1 anteriores a la 2.1.4 y en las 2.0 anteriores a la 2.0.17 (y versiones anteriores no soportadas) podr\\u00eda ser susceptible a un ataque de redireccionamiento capaz de divulgar un c\\u00f3digo de autorizaci\\u00f3n. Un usuario o atacante malicioso puede manipular una petici\\u00f3n al endpoint de autorizaci\\u00f3n mediante el uso del tipo de concesi\\u00f3n de autorizaci\\u00f3n y la especificaci\\u00f3n de un URI de redireccionamiento manipulado mediante el par\\u00e1metro \\\"redirect_uri\\\". Esto puede provocar que el servidor de autorizaci\\u00f3n redirija al user-agent del propietario del recurso a un URI bajo en control del atacante con el c\\u00f3digo de autorizaci\\u00f3n divulgado. Esta vulnerabilidad expone las aplicaciones que cumplen con todos los siguientes requisitos: act\\u00faa en el rol de un servidor de autorizaci\\u00f3n (@EnableAuthorizationServer) y utiliza DefaultRedirectResolver en AuthorizationEndpoint. Esta vulnerabilidad no expone las aplicacionesplciaciones que: act\\u00faan en el rol de un servidor de autorizaci\\u00f3n (@EnableAuthorizationServer) y utilizan una implementaci\\u00f3n RedirectResolver que no sea DefaultRedirectResolver en AuthorizationEndpoint, act\\u00faan solamente en el rol de un servidor de recursos (p.ej., @EnableResourceServer) y act\\u00faan en el rol de solamente un cliente (p.ej., @EnableOAuthClient).\"}]",
      "id": "CVE-2019-3778",
      "lastModified": "2024-11-21T04:42:31.433",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 2.5}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-03-07T18:29:00.540",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html\", \"source\": \"security_alert@emc.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securityfocus.com/bid/107153\", \"source\": \"security_alert@emc.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://pivotal.io/security/cve-2019-3778\", \"source\": \"security_alert@emc.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\", \"source\": \"security_alert@emc.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securityfocus.com/bid/107153\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://pivotal.io/security/cve-2019-3778\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security_alert@emc.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security_alert@emc.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-601\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-601\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-3778\",\"sourceIdentifier\":\"security_alert@emc.com\",\"published\":\"2019-03-07T18:29:00.540\",\"lastModified\":\"2024-11-21T04:42:31.433\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the \\\"redirect_uri\\\" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).\"},{\"lang\":\"es\",\"value\":\"Spring Security OAuth, en la versiones 2.3 anteriores a la 2.3.5, en las 2.2 anteriores a las 2.2.4, en las 2.1 anteriores a la 2.1.4 y en las 2.0 anteriores a la 2.0.17 (y versiones anteriores no soportadas) podr\u00eda ser susceptible a un ataque de redireccionamiento capaz de divulgar un c\u00f3digo de autorizaci\u00f3n. Un usuario o atacante malicioso puede manipular una petici\u00f3n al endpoint de autorizaci\u00f3n mediante el uso del tipo de concesi\u00f3n de autorizaci\u00f3n y la especificaci\u00f3n de un URI de redireccionamiento manipulado mediante el par\u00e1metro \\\"redirect_uri\\\". Esto puede provocar que el servidor de autorizaci\u00f3n redirija al user-agent del propietario del recurso a un URI bajo en control del atacante con el c\u00f3digo de autorizaci\u00f3n divulgado. Esta vulnerabilidad expone las aplicaciones que cumplen con todos los siguientes requisitos: act\u00faa en el rol de un servidor de autorizaci\u00f3n (@EnableAuthorizationServer) y utiliza DefaultRedirectResolver en AuthorizationEndpoint. Esta vulnerabilidad no expone las aplicacionesplciaciones que: act\u00faan en el rol de un servidor de autorizaci\u00f3n (@EnableAuthorizationServer) y utilizan una implementaci\u00f3n RedirectResolver que no sea DefaultRedirectResolver en AuthorizationEndpoint, act\u00faan solamente en el rol de un servidor de recursos (p.ej., @EnableResourceServer) y act\u00faan en el rol de solamente un cliente (p.ej., @EnableOAuthClient).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security_alert@emc.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.0.17\",\"matchCriteriaId\":\"B789A3FA-A33E-49F9-BAA9-85F788F5E055\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.1.0\",\"versionEndExcluding\":\"2.1.4\",\"matchCriteriaId\":\"BE8265A8-ED88-4A63-B9CC-A97C4452C4AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.2.0\",\"versionEndExcluding\":\"2.2.4\",\"matchCriteriaId\":\"9ACA5453-791C-4468-8A98-643706D2A098\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.3.0\",\"versionEndExcluding\":\"2.3.5\",\"matchCriteriaId\":\"3E128057-775F-4540-846D-9E482708741C\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_corporate_lending:14.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E17A81A3-8B4A-437F-8A7E-FE336A6567AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_corporate_lending:14.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B0315C0A-1C45-42EA-A132-83AF9B889AE6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_corporate_lending:14.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EE9BBBFD-9FBD-47FA-AC5C-278A4382C344\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html\",\"source\":\"security_alert@emc.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securityfocus.com/bid/107153\",\"source\":\"security_alert@emc.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://pivotal.io/security/cve-2019-3778\",\"source\":\"security_alert@emc.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2021.html\",\"source\":\"security_alert@emc.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securityfocus.com/bid/107153\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://pivotal.io/security/cve-2019-3778\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.