SCA: security update for org.springframework.security.oauth:spring-security-oauth (GHSA-mmf6-6597-3v6m)

medium Tenable Self-Hosted Container Security Plugin ID 423288

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior
to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that
can leak an authorization code. A malicious user or attacker can craft a request to the authorization
endpoint using the authorization code grant type, and specify a manipulated redirection URI via the
redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent
to a URI under the control of the attacker with the leaked authorization code. (CVE-2019-11269)

See Also

https://github.com/advisories/GHSA-mmf6-6597-3v6m

Plugin Details

Severity: Medium

ID: 423288

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 3/29/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 56.93

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2019-11269

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/13/2019

Vulnerability Publication Date: 5/30/2019

Reference Information

CVE: CVE-2019-11269

BID: 108534

cwe: CWE-601