CVE-2022-22969

Опубликовано: 21 апр. 2022

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only.

Ссылки

https://tanzu.vmware.com/security/cve-2022-22969
Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch
Third Party Advisory
https://tanzu.vmware.com/security/cve-2022-22969
Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:pivotal:spring_security_oauth:*:*:*:*:*:*:*:*

Версия от 2.4.0 (включая) до 2.4.2 (исключая)

cpe:2.3:a:pivotal:spring_security_oauth:*:*:*:*:*:*:*:*

Версия от 2.5.0 (включая) до 2.5.2 (исключая)

Конфигурация 2

cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*

EPSS

Процентиль: 66%

0.00509

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

GHSA-c2cp-3xj9-97w9