CVE-2021-22119

HIGH

Spring Security 5.2.0-5.2.10, 5.3.0-5.3.9, 5.4.0-5.4.6, 5.5.0 - Denial of Service via OAuth 2.0 Authorization Request

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-22119. PoCs published by mari6274.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2021-22119, demonstrating a DoS attack against a Spring OAuth2 client by flooding the `/oauth2/authorization/github` endpoint with concurrent requests. The exploit uses multiple threads to send repeated HTTP requests, potentially exhausting server resources.

Description

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.

Exploits (1)

nomisec WORKING POC 1 stars

by mari6274 · poc

https://github.com/mari6274/oauth-client-exploit

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2021-22119, demonstrating a DoS attack against a Spring OAuth2 client by flooding the `/oauth2/authorization/github` endpoint with concurrent requests. The exploit uses multiple threads to send repeated HTTP requests, potentially exhausting server resources.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Spring OAuth2 Client (specific version not specified)

No auth needed

Prerequisites: Access to the target OAuth2 client endpoint

MITRE ATT&CK