Detections
Analytics

SCA: security update for org.springframework.security.oauth:spring-security-oauth2 (GHSA-h8w4-qv99-f7vj)

high Tenable Self-Hosted Container Security Plugin ID 422488

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and
 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under
 certain conditions. A malicious user or attacker can craft a request to the approval endpoint that can
 modify the previously saved authorization request and lead to a privilege escalation on the subsequent
 approval. This scenario can happen if the application is configured to use a custom approval endpoint that
 declares AuthorizationRequest as a controller method argument. This vulnerability exposes applications
 that meet all of the following requirements: Act in the role of an Authorization Server (e.g.
 @EnableAuthorizationServer) and use a custom Approval Endpoint that declares AuthorizationRequest as a
 controller method argument. This vulnerability does not expose applications that: Act in the role of an
 Authorization Server and use the default Approval Endpoint, act in the role of a Resource Server only
 (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient). (CVE-2018-15758)

Solution

Update the org.springframework.security.oauth:spring-security-oauth2 library and its related packages to version 2.0.16 or later.

See Also

https://github.com/advisories/GHSA-h8w4-qv99-f7vj

Plugin Details

Severity: High

ID: 422488

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 3/22/2026

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-15758

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/19/2018

Vulnerability Publication Date: 10/16/2018

Reference Information

CVE: CVE-2018-15758

BID: 105687

cwe: CWE-269