CVE-2022-22969
MEDIUMSpring Security OAuth 2.5.x < 2.5.2 - Denial of Service via Authorization Request Flooding
Title source: llmDescription
<Issue Description> Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://tanzu.vmware.com/security/cve-2022-22969
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html
Scores
CVSS v3
6.5
EPSS
0.0059
EPSS Percentile
69.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
Status
published
Products (3)
oracle/communications_design_studio
7.4.2
org.springframework.security.oauth/spring-security-oauth2
2.5.0.RELEASE - 2.5.2.RELEASEMaven
pivotal/spring_security_oauth
2.4.0 - 2.4.2
Published
Apr 21, 2022
Tracked Since
Feb 18, 2026