CVE-2019-3778
Open redirector vulnerability in spring-security-oauth (Maven)

Open redirector Proof of concept

What is CVE-2019-3778 About?

This vulnerability is an open redirector attack in Spring Security OAuth that can leak an authorization code. Attackers can craft a malicious redirect URI to redirect a user's browser and capture sensitive authorization codes. It is moderately easy to exploit given the specific configuration requirements.

Affected Software

  • org.springframework.security.oauth:spring-security-oauth
    • >2.2.0.RELEASE, <2.2.4.RELEASE
    • >2.1.0.RELEASE, <2.1.4.RELEASE
    • >2.3.0.RELEASE, <2.3.5.RELEASE
    • <2.0.17.RELEASE
  • org.springframework.security.oauth:spring-security-oauth2
    • >2.2.0.RELEASE, <2.2.4.RELEASE
    • >2.1.0.RELEASE, <2.1.4.RELEASE
    • >2.3.0.RELEASE, <2.3.5.RELEASE
    • <2.0.17.RELEASE

Technical Details

The vulnerability exists in Spring Security OAuth versions 2.3 prior to 2.3.5, 2.2 prior to 2.2.4, 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, affecting applications acting as an Authorization Server and using the DefaultRedirectResolver in the AuthorizationEndpoint. A malicious user can craft a request to the authorization endpoint using the authorization code grant type, embedding a manipulated redirect_uri parameter. The DefaultRedirectResolver improperly validates this URI, causing the authorization server to redirect the resource owner's user-agent to an attacker-controlled URI, along with the sensitive authorization code as part of the URL.

What is the Impact of CVE-2019-3778?

Successful exploitation may allow attackers to steal authorization codes, enabling them to gain unauthorized access to user accounts or resources by using the leaked code to obtain access tokens.

What is the Exploitability of CVE-2019-3778?

Exploitation of this open redirect vulnerability is of medium complexity. It typically requires no authentication for the initial request, as it targets the authorization endpoint itself. No special privileges are needed from the attacker's perspective, merely the ability to craft appropriate URLs. This is a remote vulnerability, relying on the attacker's ability to present a crafted link to a victim. Special conditions include the target application acting as an Authorization Server and specifically using the DefaultRedirectResolver. The likelihood of exploitation increases when applications expose their authorization endpoint directly to the internet and utilize the vulnerable redirect resolver without additional custom validation.

What are the Known Public Exploits?

PoC Author Link Commentary
BBB-man Link Spring Security OAuth 2.3 Open Redirection 分析复现篇

What are the Available Fixes for CVE-2019-3778?

Available Upgrade Options

  • org.springframework.security.oauth:spring-security-oauth2
    • <2.0.17.RELEASE → Upgrade to 2.0.17.RELEASE
  • org.springframework.security.oauth:spring-security-oauth2
    • >2.1.0.RELEASE, <2.1.4.RELEASE → Upgrade to 2.1.4.RELEASE
  • org.springframework.security.oauth:spring-security-oauth2
    • >2.2.0.RELEASE, <2.2.4.RELEASE → Upgrade to 2.2.4.RELEASE
  • org.springframework.security.oauth:spring-security-oauth2
    • >2.3.0.RELEASE, <2.3.5.RELEASE → Upgrade to 2.3.5.RELEASE
  • org.springframework.security.oauth:spring-security-oauth
    • <2.0.17.RELEASE → Upgrade to 2.0.17.RELEASE
  • org.springframework.security.oauth:spring-security-oauth
    • >2.1.0.RELEASE, <2.1.4.RELEASE → Upgrade to 2.1.4.RELEASE
  • org.springframework.security.oauth:spring-security-oauth
    • >2.2.0.RELEASE, <2.2.4.RELEASE → Upgrade to 2.2.4.RELEASE
  • org.springframework.security.oauth:spring-security-oauth
    • >2.3.0.RELEASE, <2.3.5.RELEASE → Upgrade to 2.3.5.RELEASE

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-3778?

Similar Vulnerabilities: CVE-2020-5407 , CVE-2019-11269 , CVE-2017-4995 , CVE-2021-22005 , CVE-2018-1296

All Rights reserved 2025
Privacy Policy