{"id":"CVE-2018-1260","details":"Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.","aliases":["GHSA-rrpm-pj7p-7j9q"],"modified":"2026-05-18T15:26:48.504264Z","published":"2018-05-11T20:29:00.353Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/104158"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1809"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2939"},{"type":"ADVISORY","url":"https://pivotal.io/security/cve-2018-1260"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-attic/spring-security-oauth","events":[{"introduced":"0"},{"last_affected":"599e24db47d6b40eaa8af72dfda5e2b439b0ddfa"},{"introduced":"220183d8cf56860cddae2def4efdb1a552b60d69"},{"last_affected":"0d9036078cfb672726cf64f9c1e26845b9bb4e19"},{"introduced":"4701c737204017ddfed2e18069de9d77191a6813"},{"last_affected":"ffd9d4b90fbb2e3601601c3674260df99fb65f98"},{"introduced":"f0b82d84dbd02d98a4e313d9357906b053ca4b18"},{"last_affected":"97e39dde7e88aae802be98de084a382886ca4255"}],"database_specific":{"cpe":"cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"2.0.14"},{"introduced":"2.1"},{"last_affected":"2.1.1"},{"introduced":"2.2"},{"last_affected":"2.2.1"},{"introduced":"2.3"},{"last_affected":"2.3.2"}],"source":"CPE_FIELD"}}],"versions":["2.3.2.RELEASE","2.3.1.RELEASE","2.3.0.RELEASE","2.2.1.RELEASE","2.2.0.RELEASE","2.1.1.RELEASE","2.0.14.RELEASE","jwt1.0.8.RELEASE","2.1.0.RELEASE","2.0.13.RELEASE","jwt1.0.7.RELEASE","jwt1.0.6.RELEASE","2.0.12.RELEASE","2.0.11.RELEASE","2.0.10.RELEASE","2.0.9.RELEASE","2.0.8.RELEASE","2.0.3.RELEASE","2.0.2.RELEASE","2.0.1.RELEASE","2.0.0.RELEASE","2.0.0.RC2","2.0.0.RC1","2.0.0.M4","2.0.0.M3","2.0.0.M2","1.0.5.RELEASE","1.0.4.RELEASE","1.0.3.RELEASE","jwt1.0.1.RELEASE","1.0.1.RELEASE","1.0.0.RC3","1.0.0.RC2","1.0.0.RC1","1.0.0.M6d","1.0.0.M6b","1.0.0.M6a","1.0.0.M6","1.0.0.M5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1260.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}