CVE-2018-1260

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-1260
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1260.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-1260
Aliases
Published
2018-05-11T20:29:00.353Z
Modified
2026-05-18T15:26:48.504264Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.

References

Affected packages

Git / github.com/spring-attic/spring-security-oauth

Affected ranges

Type
GIT
Repo
https://github.com/spring-attic/spring-security-oauth
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
599e24db47d6b40eaa8af72dfda5e2b439b0ddfa
Introduced
220183d8cf56860cddae2def4efdb1a552b60d69
Last affected
0d9036078cfb672726cf64f9c1e26845b9bb4e19
Introduced
4701c737204017ddfed2e18069de9d77191a6813
Last affected
ffd9d4b90fbb2e3601601c3674260df99fb65f98
Introduced
f0b82d84dbd02d98a4e313d9357906b053ca4b18
Last affected
97e39dde7e88aae802be98de084a382886ca4255
Database specific 
{
    "cpe": "cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.0.14"
        },
        {
            "introduced": "2.1"
        },
        {
            "last_affected": "2.1.1"
        },
        {
            "introduced": "2.2"
        },
        {
            "last_affected": "2.2.1"
        },
        {
            "introduced": "2.3"
        },
        {
            "last_affected": "2.3.2"
        }
    ],
    "source": "CPE_FIELD"
}

Affected versions

1.*
1.0.0.M5
1.0.0.M6
1.0.0.M6a
1.0.0.M6b
1.0.0.M6d
1.0.0.RC1
1.0.0.RC2
1.0.0.RC3
1.0.1.RELEASE
1.0.3.RELEASE
1.0.4.RELEASE
1.0.5.RELEASE
2.*
2.0.0.M2
2.0.0.M3
2.0.0.M4
2.0.0.RC1
2.0.0.RC2
2.0.0.RELEASE
2.0.1.RELEASE
2.0.10.RELEASE
2.0.11.RELEASE
2.0.12.RELEASE
2.0.13.RELEASE
2.0.14.RELEASE
2.0.2.RELEASE
2.0.3.RELEASE
2.0.8.RELEASE
2.0.9.RELEASE
2.1.0.RELEASE
2.1.1.RELEASE
2.2.0.RELEASE
2.2.1.RELEASE
2.3.0.RELEASE
2.3.1.RELEASE
2.3.2.RELEASE
jwt1.*
jwt1.0.1.RELEASE
jwt1.0.6.RELEASE
jwt1.0.7.RELEASE
jwt1.0.8.RELEASE

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1260.json"