[CVE-2019-3778] Security Vulnerability Spring Security OAuth
17 views
Skip to first unread message
Lars Kiesow
Apr 3, 2019, 5:42:39 PM4/3/19
to security...@opencast.org
Hi everyone,
this is an official security notice about a vulnerability in Opencast
version ≤5.5 and ≤6.4 which included a problematic version of the Spring
Security OAuth library. If you use OAth, please upgrade to Opencast 5.5
or 6.4.
Details:
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to
2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older
unsupported versions could be susceptible to an open redirector attack
that can leak an authorization code.
A malicious user or attacker can craft a request to the authorization
endpoint using the authorization code grant type, and specify a
manipulated redirection URI via the "redirect_uri" parameter. This can
cause the authorization server to redirect the resource owner user-agent
to a URI under the control of the attacker with the leaked authorization
code.
This vulnerability exposes applications that meet all of the following
requirements: Act in the role of an Authorization Server (e.g.
@EnableAuthorizationServer) and uses the DefaultRedirectResolver in the
AuthorizationEndpoint.
This vulnerability does not expose applications that: Act in the role of
an Authorization Server and uses a different RedirectResolver
implementation other than DefaultRedirectResolver, act in the role of a
Resource Server only (e.g. @EnableResourceServer), act in the role of a
Client only (e.g. @EnableOAuthClient).
Many thanks to Karen Dolan (Harvard DCE) for upgrading the library in
Opencast.
this is an official security notice about a vulnerability in Opencast
version ≤5.5 and ≤6.4 which included a problematic version of the Spring
Security OAuth library. If you use OAth, please upgrade to Opencast 5.5
or 6.4.
Details:
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to
2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older
unsupported versions could be susceptible to an open redirector attack
that can leak an authorization code.
A malicious user or attacker can craft a request to the authorization
endpoint using the authorization code grant type, and specify a
manipulated redirection URI via the "redirect_uri" parameter. This can
cause the authorization server to redirect the resource owner user-agent
to a URI under the control of the attacker with the leaked authorization
code.
This vulnerability exposes applications that meet all of the following
requirements: Act in the role of an Authorization Server (e.g.
@EnableAuthorizationServer) and uses the DefaultRedirectResolver in the
AuthorizationEndpoint.
This vulnerability does not expose applications that: Act in the role of
an Authorization Server and uses a different RedirectResolver
implementation other than DefaultRedirectResolver, act in the role of a
Resource Server only (e.g. @EnableResourceServer), act in the role of a
Client only (e.g. @EnableOAuthClient).
Many thanks to Karen Dolan (Harvard DCE) for upgrading the library in
Opencast.
Reply all
Reply to author
Forward
0 new messages