#VU15466 Privilege escalation in Spring Security OAuth - CVE-2018-15758

Cybersecurity Help s.r.o.

Published: 2018-10-22 | Updated: 2018-10-23

Vulnerability identifier: #VU15466

Vulnerability risk: Low

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-15758

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Spring Security OAuth
Server applications / Frameworks for developing and running applications

Vendor: Pivotal

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists in the OAuth2 component of Pivotal Software Spring Security OAuth due to improper security restrictions. A remote unauthenticated attacker can send a specially crafted request and modify a previously saved authorization request to gain elevated privileges.

Mitigation
The vulnerability has been addressed in the versions 2.0.16, 2.1.3, 2.2.3, 2.3.4.

Vulnerable software versions

Spring Security OAuth: 2.0 - 2.3.3

External links
https://pivotal.io/security/cve-2018-15758

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell CloudLink

Multiple vulnerabilities in Red Hat Fuse

Privilege escalation in Pivotal Software Spring Security OAuth