Authorization Bypass Vulnerability in Spring Security 5.1.x

Authorization Bypass Vulnerability in Spring Security 5.1.x

CVE-2018-15801 · HIGH Severity

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWTs with the malicious issuer URL that may be granted for the honest issuer.

Learn more about our User Device Pen Test.