CVE-2022-22969 Older versions of Spring Security's OAuth 2.5.x are vulnerable to a DoS attack.
OAuth 2.0 Server applications are not vulnerable. OAuth 2.0 Server applications are not susceptible to this issue, as the Server does not make the Authorization Request. This issue has been fixed in the latest 2.5.2 version. The second, older unsupported version is 2.0.1, which was released in March 2017. This release is no longer supported and has been patched. Users running 2.0.1 are encouraged to update their installations to 2.5.2. Users running older unsupported versions are advised to update to 2.5.2 as soon.
What is the OAuth 2.0 Authorization Server vulnerability?
OAuth 2.0 is a protocol that allows clients to access protected resources on an HTTP server, like a social media website or an e-commerce store. The OAuth 2.0 protocol allows third party applications to make use of the user's authentication information without the need for the user to share or disclose their credentials.
In this particular scenario, the user displays a page on their website that is protected with OAuth 2.0 and includes login fields. The first time they go to the page, they will be asked if they want to allow their browser to remember their username and password, which will save them time in future visits by not having to log in again. The browser remembers this username and password in its local storage, so when they later visit the same protected resource, it automatically logs them in without prompting for credentials again.
What is OAuth 2.0?
OAuth 2.0 is a widely-used authorization framework that enables secure authentication and token exchange without requiring users to re-enter their credentials or share personal information. It was designed for web applications, but many software developers have adopted it for mobile apps as well.
Timeline
Published on: 04/21/2022 19:15:00 UTC
Last modified on: 07/25/2022 18:20:00 UTC