Resource Exhaustion in Spring Security
High severity
GitHub Reviewed
Published
Jul 2, 2021
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Package
Affected versions
>= 5.5.0, < 5.5.1
>= 5.4.0, < 5.4.7
>= 5.3.0, <= 5.3.9
>= 5.2.0, <= 5.2.10
Patched versions
5.5.1
5.4.7
5.3.10
5.2.11
>= 5.5.0, < 5.5.1
>= 5.4.0, < 5.4.7
>= 5.3.0, <= 5.3.9
>= 5.2.0, <= 5.2.10
5.5.1
5.4.7
5.3.10
5.2.11
Description
Published by the National Vulnerability Database
Jun 29, 2021
Reviewed
Jun 30, 2021
Published to the GitHub Advisory Database
Jul 2, 2021
Last updated
Jan 27, 2023
Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.
References