CVE-2021-22119

CVE Database · CVE-2021-22119

CVE-2021-22119

· HIGHModified

CVSS v3.1

7.5

EPSS

6.67%

Published

Jun 29, 2021

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses (CWE)

CWE-400CWE-863

Affected Products (5)

vmware · spring_security (up to 5.2.11)vulnerable

vmware · spring_security (up to 5.3.10)vulnerable

vmware · spring_security (up to 5.4.7)vulnerable

vmware · spring_security (up to 5.5.1)vulnerable

oracle · communications_cloud_native_core_policyvulnerable

References (18)

https://lists.apache.org/thread.html/r08a449010786e0bcffa4b5781b04fcb55d6eafa62cb79b8347680aad%40%3Cissues.nifi.apache.org%3E