Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients.
Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant.
An application is not vulnerable when a Public Client uses PKCE for the Authorization Code Grant.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://spring.io/security/cve-2024-22258 |
History
Thu, 05 Dec 2024 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-470 |
Wed, 20 Nov 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: vmware
Published: 2024-03-20T03:58:13.125Z
Updated: 2024-12-05T20:31:25.882Z
Reserved: 2024-01-08T18:43:15.943Z
Link: CVE-2024-22258
Vulnrichment
Updated: 2024-08-01T22:43:33.663Z
NVD
Status : Awaiting Analysis
Published: 2024-03-20T04:15:08.600
Modified: 2024-12-05T21:15:07.530
Link: CVE-2024-22258
Redhat
No data.