漏洞描述
Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval endpoint that can modify the previously saved authorization request and lead to a privilege escalation on the subsequent approval. This scenario can happen if the application is configured to use a custom approval endpoint that declares AuthorizationRequest as a controller method argument.
This vulnerability exposes applications that meet all of the following requirements:
Act in the role of an Authorization Server (e.g.
@EnableAuthorizationServer)Use a custom Approval Endpoint that declares
AuthorizationRequestas a controller method argument
This vulnerability does not expose applications that:
Act in the role of an Authorization Server and use the default Approval Endpoint
Act in the role of a Resource Server only (e.g.
@EnableResourceServer)Act in the role of a Client only (e.g.
@EnableOAuthClient)
中文漏洞描述
使用了EnableResourceServer并且用了
AuthorizationRequest的话。那么攻击者可以重新发送一次用过的验证请求,或者进行相应参数修改,从而造成权限提升。(没有用一次就失效的机制)譬如劫持别人的code,并且篡改其中的scope到all的话。(应用场景为下游appISV作弊,用户明明只授权read,但是实际上授权了All)
参考
Spring Security OAuth 文档,请参阅“授权服务器配置”部分
其他TODO
- 待补充实验结果。
关键词参考
应用使用了
AuthorizationRequest。应用使用了
@EnableAuthorizationServer。
参考资料
若有收获,就点个赞吧
0 人点赞
