CVE-2019-11269
Open redirector vulnerability in spring-security-oauth (Maven)
What is CVE-2019-11269 About?
This vulnerability describes an open redirector attack in Spring Security OAuth versions that can lead to authorization code leakage. Attackers can specify a manipulated redirection URI, causing the authorization server to redirect the user to an attacker-controlled site with the leaked code. Exploitation is moderately complex.
Affected Software
- org.springframework.security.oauth:spring-security-oauth
- >2.2.0.RELEASE, <2.2.5.RELEASE
- >2.3.0.RELEASE, <2.3.6.RELEASE
- >2.1.0.RELEASE, <2.1.5.RELEASE
- >2.0.0.RELEASE, <2.0.18.RELEASE
Technical Details
The vulnerability affects Spring Security OAuth, specifically versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18. It is an open redirector attack where an attacker can craft a request to the authorization endpoint using the authorization code grant type. By providing a manipulated redirect_uri parameter, the attacker can exploit insufficient validation on the server side. This causes the authorization server to redirect the resource owner's user-agent (browser) to an attacker-controlled URI. Crucially, this redirection includes the sensitive authorization code as a URL parameter, allowing the attacker to harvest it.
What is the Impact of CVE-2019-11269?
Successful exploitation may allow attackers to steal authorization codes, enabling them to gain unauthorized access to user accounts or resources by using the leaked code to obtain access tokens.
What is the Exploitability of CVE-2019-11269?
Exploitation involves crafting a specific URL with a malicious redirect_uri parameter and enticing a user to click it. This is a remote attack. There are no authentication requirements for the attacker to craft and initiate the malicious request, and no special privileges are needed. The complexity is moderate, as it relies on the user's interaction and the application's configuration. The presence of Spring Security OAuth as an Authorization Server with a vulnerable redirect_uri validation mechanism is a critical condition. The risk of exploitation increases when such applications are publicly exposed and do not employ stringent validation or allowlist approaches for redirect URIs.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-11269?
Available Upgrade Options
- org.springframework.security.oauth:spring-security-oauth
- >2.0.0.RELEASE, <2.0.18.RELEASE → Upgrade to 2.0.18.RELEASE
- org.springframework.security.oauth:spring-security-oauth
- >2.1.0.RELEASE, <2.1.5.RELEASE → Upgrade to 2.1.5.RELEASE
- org.springframework.security.oauth:spring-security-oauth
- >2.2.0.RELEASE, <2.2.5.RELEASE → Upgrade to 2.2.5.RELEASE
- org.springframework.security.oauth:spring-security-oauth
- >2.3.0.RELEASE, <2.3.6.RELEASE → Upgrade to 2.3.6.RELEASE
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html
- https://pivotal.io/security/cve-2019-11269
- http://packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.html
- https://osv.dev/vulnerability/GHSA-mmf6-6597-3v6m
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-11269
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://pivotal.io/security/cve-2019-11269
What are Similar Vulnerabilities to CVE-2019-11269?
Similar Vulnerabilities: CVE-2019-3778 , CVE-2020-5407 , CVE-2017-4995 , CVE-2021-22005 , CVE-2018-1296
