CVE-2018-1260

critical

Description

Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.

References

Advisories
More

https://access.redhat.com/errata/RHSA-2018:2939

https://access.redhat.com/errata/RHSA-2018:1809

http://www.securityfocus.com/bid/104158

https://pivotal.io/security/cve-2018-1260

Details

Source: Mitre, NVD

Published: 2018-05-11

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.08352