CVE-2021-22119

HIGH

Vmware Spring Security < 5.2.11 - Incorrect Authorization

Title source: rule

Description

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.

Exploits (1)

nomisec WORKING POC 1 stars
by mari6274 · poc
https://github.com/mari6274/oauth-client-exploit

References (9)

Scores

CVSS v3 7.5
EPSS 0.0490
EPSS Percentile 89.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400 CWE-863
Status published
Products (4)
oracle/communications_cloud_native_core_policy 1.14.0
org.springframework.security/spring-security-core 5.5.0 - 5.5.1Maven
org.springframework.security/spring-security-oauth2-client 5.5.0 - 5.5.1Maven
vmware/spring_security 5.2.0 - 5.2.11
Published Jun 29, 2021
Tracked Since Feb 18, 2026