CVE-2018-1260

high-risk
Published 2018-05-11

Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.

Do I need to act?

!
50.3% chance of exploitation in next 30 days
EPSS score — higher than 50% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Pivotal Software

References (8)

Third Party Advisory http://www.securityfocus.com/bid/104158
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1809
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:2939
Vendor Advisory https://pivotal.io/security/cve-2018-1260
Third Party Advisory http://www.securityfocus.com/bid/104158
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1809
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:2939
Vendor Advisory https://pivotal.io/security/cve-2018-1260
55
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 18/34 · Moderate
Exposure 5/34 · Minimal