CVE-2022-22969

{"id": "CVE-2022-22969", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2022-04-21T19:15:08.903", "references": [{"url": "https://tanzu.vmware.com/security/cve-2022-22969", "tags": ["Vendor Advisory"], "source": "security@vmware.com"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@vmware.com"}, {"url": "https://tanzu.vmware.com/security/cve-2022-22969", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "<Issue Description> Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only."}, {"lang": "es", "value": "(Descripci\u00f3n del problema) Spring Security OAuth versiones 2.5.x anteriores a 2.5.2 y las versiones m\u00e1s antiguas no soportadas, son susceptibles a un ataque de denegaci\u00f3n de servicio (DoS) por medio de la iniciaci\u00f3n de la petici\u00f3n de autorizaci\u00f3n en una aplicaci\u00f3n cliente OAuth versi\u00f3n 2.0. Un usuario o atacante malicioso puede enviar m\u00faltiples peticiones iniciando la Solicitud de Autorizaci\u00f3n para la Concesi\u00f3n del C\u00f3digo de Autorizaci\u00f3n, lo que presenta el potencial de agotar los recursos del sistema usando una sola sesi\u00f3n. Esta vulnerabilidad s\u00f3lo expone las aplicaciones OAuth versi\u00f3n 2.0 Client"}], "lastModified": "2024-11-21T06:47:42.697", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pivotal:spring_security_oauth:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A137BE31-252D-4B38-8C9C-E4CA2030FDB1", "versionEndExcluding": "2.4.2", "versionStartIncluding": "2.4.0"}, {"criteria": "cpe:2.3:a:pivotal:spring_security_oauth:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2DB30D32-D606-4F64-9BDE-E78F4C8A2132", "versionEndExcluding": "2.5.2", "versionStartIncluding": "2.5.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A67AA54B-258D-4D09-9ACB-4085E0B3E585"}], "operator": "OR"}]}], "sourceIdentifier": "security@vmware.com"}