CVE-2018-15801
Last modified
CVE-2018-15801 is a high-severity vulnerability rated 7.4/10 on the CVSS scale. Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. EPSS estimates a 0.65% chance of exploitation in the next 30 days.
Description
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWTs with the malicious issuer URL that may be granted for the honest issuer.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Framework | >= 5.1.0, < 5.1.2 |
References
- https://pivotal.io/security/cve-2018-15801Vendor Advisory
- https://pivotal.io/security/cve-2018-15801Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-15801?
How severe is CVE-2018-15801?
How do I fix CVE-2018-15801?
Are you affected by CVE-2018-15801?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST