Vulnerability Details : CVE-2019-11269
Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.
Vulnerability category: Open redirect
Products affected by CVE-2019-11269
- cpe:2.3:a:oracle:banking_corporate_lending:14.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending:14.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11269
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11269
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
4.2
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N |
0.5
|
3.6
|
Pivotal Software, Inc. | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
2.8
|
2.5
|
NIST |
CWE ids for CVE-2019-11269
-
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Assigned by:
- nvd@nist.gov (Primary)
- security@pivotal.io (Secondary)
References for CVE-2019-11269
-
https://pivotal.io/security/cve-2019-11269
CVE-2019-11269: Open Redirector in spring-security-oauth2 | Security | PivotalVendor Advisory
-
http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html
Spring Security OAuth 2.3 Open Redirection ≈ Packet StormThird Party Advisory;VDB Entry
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Third Party Advisory
Jump to