CVE-2018-15758: Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported ver...

Description

Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval endpoint that can modify the previously saved authorization request and lead to a privilege escalation on the subsequent approval. This scenario can happen if the application is configured to use a custom approval endpoint that declares AuthorizationRequest as a controller method argument. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and use a custom Approval Endpoint that declares AuthorizationRequest as a controller method argument. This vulnerability does not expose applications that: Act in the role of an Authorization Server and use the default Approval Endpoint, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).

Metrics

EPSS Probability

2.15%

79.8th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Pivotal Software	Spring Security Oauth	<= 1.0.5
Pivotal Software	Spring Security Oauth	>= 2.0.0, < 2.0.16
Pivotal Software	Spring Security Oauth	>= 2.1.0, < 2.1.3
Pivotal Software	Spring Security Oauth	>= 2.2.0, < 2.2.3
Pivotal Software	Spring Security Oauth	>= 2.3.0, < 2.3.4

References

http://www.securityfocus.com/bid/105687Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2019:2413
https://pivotal.io/security/cve-2018-15758Mitigation, Vendor Advisory
http://www.securityfocus.com/bid/105687Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2019:2413
https://pivotal.io/security/cve-2018-15758Mitigation, Vendor Advisory

Timeline

Published: Oct 18, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-15758?

Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval endpoint that can modify the previously saved authorization request and lead to a privilege escalation on the subsequent approval. This scenario can happen if the application is configured to use a custom approval endpoint that declares AuthorizationRequest as a controller method argument. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and use a custom Approval Endpoint that declares AuthorizationRequest as a controller method argument. This vulnerability does not expose applications that: Act in the role of an Authorization Server and use the default Approval Endpoint, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).

How severe is CVE-2018-15758?

Severity scoring for CVE-2018-15758 is pending analysis. The EPSS model estimates a 2.15% probability of exploitation in the next 30 days.

How do I fix CVE-2018-15758?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.