|
[Japanese]
|
JVNDB-2022-000037
|
Spring Security OAuth (spring-security-oauth2) vulnerable to denial-of-service (DoS)
|
|
Spring Security OAuth (spring-security-oauth2) provided by VMware, Inc. contains a denial-of-service vulnerability due to uncontrolled resource consumption (CWE-400).
Note that Spring Security OAuth (spring-security-oauth2) is no longer supported, therefore Spring Security has been developed as the alternative, and the similar vulnerability known as CVE-2021-22119 was identified but has been addressed.
Macchinetta/TERASOLUNA Framework Development Team:NTT DATA Corporation, NTT COMWARE, and NTT reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Partial
|
|
|
VMware
- Spring Security OAuth (spring-security-oauth2) 2.5.1 and earlier
|
|
|
A website that provides OAuth client functionality using Spring Security OAuth (spring-security-oauth2) may fall into a denial-of-service condition.
|
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
|
|
VMware
NTT DATA
|
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2022-22969
|
|
- JVN : JVN#15317878
- National Vulnerability Database (NVD) : CVE-2022-22969
|
|
- [2022/05/20]
Web page was published
- [2024/06/20]
References : Content was added
|
