CVE-2022-22969 - OpenCVE

<Issue Description> Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Communications Design Studio
Pivotal	Spring Security Oauth

Configuration 1 [-]

cpe:2.3:a:pivotal:spring_security_oauth:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://tanzu.vmware.com/security/cve-2022-22969
https://www.oracle.com/security-alerts/cpujul2022.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2022-04-21T18:16:02

Updated: 2024-08-03T03:28:42.679Z

Reserved: 2022-01-10T00:00:00

Link: CVE-2022-22969

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-21T19:15:08.903

Modified: 2023-08-08T14:22:24.967

Link: CVE-2022-22969

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Spring Security OAuth", "vendor": "n/a", "versions": [{"status": "affected", "version": "<affected versions> Spring Security OAuth 2.5.x prior to 2.5.2 and older unsupported versions"}]}], "descriptions": [{"lang": "en", "value": "<Issue Description> Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only."}], "problemTypes": [{"descriptions": [{"description": "Denial of Service (DoS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:47:21", "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://tanzu.vmware.com/security/cve-2022-22969"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vmware.com", "ID": "CVE-2022-22969", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spring Security OAuth", "version": {"version_data": [{"version_value": "<affected versions> Spring Security OAuth 2.5.x prior to 2.5.2 and older unsupported versions"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "<Issue Description> Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service (DoS)"}]}]}, "references": {"reference_data": [{"name": "https://tanzu.vmware.com/security/cve-2022-22969", "refsource": "MISC", "url": "https://tanzu.vmware.com/security/cve-2022-22969"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:28:42.679Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://tanzu.vmware.com/security/cve-2022-22969"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "cveId": "CVE-2022-22969", "datePublished": "2022-04-21T18:16:02", "dateReserved": "2022-01-10T00:00:00", "dateUpdated": "2024-08-03T03:28:42.679Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pivotal:spring_security_oauth:*:*:*:*:*:*:*:*", "matchCriteriaId": "2DB30D32-D606-4F64-9BDE-E78F4C8A2132", "versionEndExcluding": "2.5.2", "versionStartIncluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "A67AA54B-258D-4D09-9ACB-4085E0B3E585", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "<Issue Description> Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only."}, {"lang": "es", "value": "(Descripci\u00f3n del problema) Spring Security OAuth versiones 2.5.x anteriores a 2.5.2 y las versiones m\u00e1s antiguas no soportadas, son susceptibles a un ataque de denegaci\u00f3n de servicio (DoS) por medio de la iniciaci\u00f3n de la petici\u00f3n de autorizaci\u00f3n en una aplicaci\u00f3n cliente OAuth versi\u00f3n 2.0. Un usuario o atacante malicioso puede enviar m\u00faltiples peticiones iniciando la Solicitud de Autorizaci\u00f3n para la Concesi\u00f3n del C\u00f3digo de Autorizaci\u00f3n, lo que presenta el potencial de agotar los recursos del sistema usando una sola sesi\u00f3n. Esta vulnerabilidad s\u00f3lo expone las aplicaciones OAuth versi\u00f3n 2.0 Client"}], "id": "CVE-2022-22969", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-21T19:15:08.903", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://tanzu.vmware.com/security/cve-2022-22969"}, {"source": "security@vmware.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}