cve-2019-3778
Vulnerability from cvelistv5
Published
2019-03-07 19:00
Modified
2024-09-16 20:57
Severity ?
Summary
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).
References
security_alert@emc.comhttp://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.htmlThird Party Advisory, VDB Entry
security_alert@emc.comhttp://www.securityfocus.com/bid/107153Third Party Advisory, VDB Entry
security_alert@emc.comhttps://pivotal.io/security/cve-2019-3778Vendor Advisory
security_alert@emc.comhttps://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.htmlThird Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/107153Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108https://pivotal.io/security/cve-2019-3778Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
Impacted products
Vendor Product Version
Spring Spring Security OAuth Version: 2.3   < 2.3.5.RELEASE
Version: 2.0   < 2.0.17.RELEASE
Version: 2.1   < 2.1.4.RELEASE
Version: 2.2   < 2.2.4.RELEASE
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:19:18.342Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "107153",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/107153"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://pivotal.io/security/cve-2019-3778"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Spring Security OAuth",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "2.3.5.RELEASE",
              "status": "affected",
              "version": "2.3",
              "versionType": "custom"
            },
            {
              "lessThan": "2.0.17.RELEASE",
              "status": "affected",
              "version": "2.0",
              "versionType": "custom"
            },
            {
              "lessThan": "2.1.4.RELEASE",
              "status": "affected",
              "version": "2.1",
              "versionType": "custom"
            },
            {
              "lessThan": "2.2.4.RELEASE",
              "status": "affected",
              "version": "2.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2019-02-21T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the \"redirect_uri\" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: Open Redirect",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-20T14:42:02",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "107153",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/107153"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://pivotal.io/security/cve-2019-3778"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Open Redirect in spring-security-oauth2",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@dell.com",
          "DATE_PUBLIC": "2019-02-21T00:00:00.000Z",
          "ID": "CVE-2019-3778",
          "STATE": "PUBLIC",
          "TITLE": "Open Redirect in spring-security-oauth2"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Spring Security OAuth",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "2.3",
                            "version_value": "2.3.5.RELEASE"
                          },
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "2.0",
                            "version_value": "2.0.17.RELEASE"
                          },
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "2.1",
                            "version_value": "2.1.4.RELEASE"
                          },
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "2.2",
                            "version_value": "2.2.4.RELEASE"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Spring"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the \"redirect_uri\" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient)."
            }
          ]
        },
        "impact": null,
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-601: Open Redirect"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "107153",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/107153"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html"
            },
            {
              "name": "https://pivotal.io/security/cve-2019-3778",
              "refsource": "CONFIRM",
              "url": "https://pivotal.io/security/cve-2019-3778"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2019-3778",
    "datePublished": "2019-03-07T19:00:00Z",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-09-16T20:57:23.699Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.0.0\", \"versionEndExcluding\": \"2.0.17\", \"matchCriteriaId\": \"B789A3FA-A33E-49F9-BAA9-85F788F5E055\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.1.0\", \"versionEndExcluding\": \"2.1.4\", \"matchCriteriaId\": \"BE8265A8-ED88-4A63-B9CC-A97C4452C4AC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.2.0\", \"versionEndExcluding\": \"2.2.4\", \"matchCriteriaId\": \"9ACA5453-791C-4468-8A98-643706D2A098\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.3.0\", \"versionEndExcluding\": \"2.3.5\", \"matchCriteriaId\": \"3E128057-775F-4540-846D-9E482708741C\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_corporate_lending:14.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E17A81A3-8B4A-437F-8A7E-FE336A6567AD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_corporate_lending:14.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B0315C0A-1C45-42EA-A132-83AF9B889AE6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_corporate_lending:14.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EE9BBBFD-9FBD-47FA-AC5C-278A4382C344\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the \\\"redirect_uri\\\" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).\"}, {\"lang\": \"es\", \"value\": \"Spring Security OAuth, en la versiones 2.3 anteriores a la 2.3.5, en las 2.2 anteriores a las 2.2.4, en las 2.1 anteriores a la 2.1.4 y en las 2.0 anteriores a la 2.0.17 (y versiones anteriores no soportadas) podr\\u00eda ser susceptible a un ataque de redireccionamiento capaz de divulgar un c\\u00f3digo de autorizaci\\u00f3n. Un usuario o atacante malicioso puede manipular una petici\\u00f3n al endpoint de autorizaci\\u00f3n mediante el uso del tipo de concesi\\u00f3n de autorizaci\\u00f3n y la especificaci\\u00f3n de un URI de redireccionamiento manipulado mediante el par\\u00e1metro \\\"redirect_uri\\\". Esto puede provocar que el servidor de autorizaci\\u00f3n redirija al user-agent del propietario del recurso a un URI bajo en control del atacante con el c\\u00f3digo de autorizaci\\u00f3n divulgado. Esta vulnerabilidad expone las aplicaciones que cumplen con todos los siguientes requisitos: act\\u00faa en el rol de un servidor de autorizaci\\u00f3n (@EnableAuthorizationServer) y utiliza DefaultRedirectResolver en AuthorizationEndpoint. Esta vulnerabilidad no expone las aplicacionesplciaciones que: act\\u00faan en el rol de un servidor de autorizaci\\u00f3n (@EnableAuthorizationServer) y utilizan una implementaci\\u00f3n RedirectResolver que no sea DefaultRedirectResolver en AuthorizationEndpoint, act\\u00faan solamente en el rol de un servidor de recursos (p.ej., @EnableResourceServer) y act\\u00faan en el rol de solamente un cliente (p.ej., @EnableOAuthClient).\"}]",
      "id": "CVE-2019-3778",
      "lastModified": "2024-11-21T04:42:31.433",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 2.5}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-03-07T18:29:00.540",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html\", \"source\": \"security_alert@emc.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securityfocus.com/bid/107153\", \"source\": \"security_alert@emc.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://pivotal.io/security/cve-2019-3778\", \"source\": \"security_alert@emc.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\", \"source\": \"security_alert@emc.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securityfocus.com/bid/107153\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://pivotal.io/security/cve-2019-3778\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security_alert@emc.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security_alert@emc.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-601\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-601\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-3778\",\"sourceIdentifier\":\"security_alert@emc.com\",\"published\":\"2019-03-07T18:29:00.540\",\"lastModified\":\"2024-11-21T04:42:31.433\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the \\\"redirect_uri\\\" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).\"},{\"lang\":\"es\",\"value\":\"Spring Security OAuth, en la versiones 2.3 anteriores a la 2.3.5, en las 2.2 anteriores a las 2.2.4, en las 2.1 anteriores a la 2.1.4 y en las 2.0 anteriores a la 2.0.17 (y versiones anteriores no soportadas) podr\u00eda ser susceptible a un ataque de redireccionamiento capaz de divulgar un c\u00f3digo de autorizaci\u00f3n. Un usuario o atacante malicioso puede manipular una petici\u00f3n al endpoint de autorizaci\u00f3n mediante el uso del tipo de concesi\u00f3n de autorizaci\u00f3n y la especificaci\u00f3n de un URI de redireccionamiento manipulado mediante el par\u00e1metro \\\"redirect_uri\\\". Esto puede provocar que el servidor de autorizaci\u00f3n redirija al user-agent del propietario del recurso a un URI bajo en control del atacante con el c\u00f3digo de autorizaci\u00f3n divulgado. Esta vulnerabilidad expone las aplicaciones que cumplen con todos los siguientes requisitos: act\u00faa en el rol de un servidor de autorizaci\u00f3n (@EnableAuthorizationServer) y utiliza DefaultRedirectResolver en AuthorizationEndpoint. Esta vulnerabilidad no expone las aplicacionesplciaciones que: act\u00faan en el rol de un servidor de autorizaci\u00f3n (@EnableAuthorizationServer) y utilizan una implementaci\u00f3n RedirectResolver que no sea DefaultRedirectResolver en AuthorizationEndpoint, act\u00faan solamente en el rol de un servidor de recursos (p.ej., @EnableResourceServer) y act\u00faan en el rol de solamente un cliente (p.ej., @EnableOAuthClient).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security_alert@emc.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.0.17\",\"matchCriteriaId\":\"B789A3FA-A33E-49F9-BAA9-85F788F5E055\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.1.0\",\"versionEndExcluding\":\"2.1.4\",\"matchCriteriaId\":\"BE8265A8-ED88-4A63-B9CC-A97C4452C4AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.2.0\",\"versionEndExcluding\":\"2.2.4\",\"matchCriteriaId\":\"9ACA5453-791C-4468-8A98-643706D2A098\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.3.0\",\"versionEndExcluding\":\"2.3.5\",\"matchCriteriaId\":\"3E128057-775F-4540-846D-9E482708741C\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_corporate_lending:14.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E17A81A3-8B4A-437F-8A7E-FE336A6567AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_corporate_lending:14.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B0315C0A-1C45-42EA-A132-83AF9B889AE6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_corporate_lending:14.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EE9BBBFD-9FBD-47FA-AC5C-278A4382C344\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html\",\"source\":\"security_alert@emc.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securityfocus.com/bid/107153\",\"source\":\"security_alert@emc.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://pivotal.io/security/cve-2019-3778\",\"source\":\"security_alert@emc.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2021.html\",\"source\":\"security_alert@emc.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securityfocus.com/bid/107153\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://pivotal.io/security/cve-2019-3778\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.