Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2015-5258 Spring Social CSRF
Description
When authorizing an application against an OAuth 2 API provider, Spring Social is vulnerable to a Cross-Site Request Forgery (CSRF) attack. The attack involves a malicious user beginning an OAuth 2 authorization flow using a fake account with an OAuth 2 API provider, but completing it by tricking the victim into visiting the callback request in their browser. As a consequence, the attacker will have access to the victim's account on the vulnerable site by way of the fake provider account.
Affected Spring Products and Versions
- Spring Social Core 1.0.0 to 1.0.3
- Spring Social Core 1.1.0 to 1.1.2
Mitigation
Users of affected Spring Social versions should upgrade as follows:
- For Spring Social 1.0.x upgrade to 1.1.3+
- For Spring Social 1.1.x upgrade to 1.1.3+
In the above mentioned versions, Spring Social requires the existence of a `state` parameter in the callback request. If it is not found, an IllegalStateException is thrown and the authorization flow is terminated.
Credit
The issue was first found by Kris Bosch from Include Security. Paul Ambrosini from sourceclear (https://srcclr.com) then identified the root cause, vulnerable library and vulnerable code.
References
History
2015-Nov-12: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all