CVE-2024-22258

MEDIUM Year: 2024
CVSS v3 Score
6.1
Medium
Weakness Type
CWE-470
View all →

Vulnerability Description

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An application is not vulnerable when a Public Client uses PKCE for the Authorization Code Grant.

Related Vulnerabilities

CVE-2019-20635

MEDIUM
CVSS:6.1(Medium)

codeBeamer before 9.5.0-RC3 does not properly restrict the ability to execute custom Java code and access the Java class loader via computed fields.

CWE-4702019

CVE-2023-37207

MEDIUM
CVSS:6.5(Medium)

A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing...

CWE-4702023

CVE-2019-3834

MEDIUM
CVSS:5.6(Medium)

It was found that the fix for CVE-2014-0114 had been reverted in JBoss Operations Network 3 (JON). This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. Exploits that...

CWE-4702019

CVE-2004-2331

MEDIUM
CVSS:5.5(Medium)

ColdFusion MX 6.1 and 6.1 J2EE allows local users to bypass sandbox security restrictions and obtain sensitive information by using Java reflection methods to access trusted Java objects without using...

CWE-4702004

CVE-2023-35680

MEDIUM
CVSS:5.5(Medium)

In multiple locations, there is a possible way to import contacts belonging to other users due to a confused deputy. This could lead to local information disclosure with no additional execution privil...

CWE-4702023

CVE-2024-1574

MEDIUM
CVSS:6.7(Medium)

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in the licensing feature of ICONICS GENESIS64 versions 10.97 to 10.97.2, Mitsubishi Electric GENESIS64 ...

CWE-4702024