CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An application is not vulnerable when a Public Client uses PKCE for the Authorization Code Grant.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://spring.io/security/cve-2024-22258
https://spring.io/security/cve-2024-22258

Configurations

No configuration.

History

05 Dec 2024, 21:15

Type	Values Removed	Values Added
CWE		CWE-470

Information

Published : 2024-03-20 04:15

Updated : 2024-12-05 21:15

NVD link : CVE-2024-22258

Mitre link : CVE-2024-22258

CVE.ORG link : CVE-2024-22258

JSON object : View

Products Affected

No product.

CWE

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

6.1 /10