Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2024-22258: PKCE Downgrade in Spring Authorization Server
Description
Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients.
Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant.
An application is not vulnerable when a Public Client uses PKCE for the Authorization Code Grant.
Affected Spring Products and Versions
Spring Authorization Server
- 1.0.0 - 1.0.5
- 1.1.0 - 1.1.5
- 1.2.0 - 1.2.2
- Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 1.0.x | 1.0.6 | Enterprise Support Only |
| 1.1.x | 1.1.6 | OSS |
| 1.2.x | 1.2.3 | OSS |
Credit
This issue was identified and responsibly reported by Pieter Philippaerts ([email protected]).
References
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all