CVE-2022-31690 - Privilege Escalation
Severity: None2022-11-18
Abstract
Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token.
The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Feedback v2.1.3 and older | None | Oxygen Feedback 2.1.4 build 2022111716 |
Oxygen Content Fusion v5.0.1 and older | None | Content Fusion 5.0.2 build 2022121305 |
Detail
CVE-2022-31690
Severity: High
CVSS Score: 8.1
The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31690 vulnerability description. However, the Access Token returned by Oxygen Feedback does not contain an empty scope list. For that reason, Oxygen XML products are not affected by this vulnerability
Starting with Oxygen Feedback v2.1.4 build 2022111716 Spring Security library was updated to v5.7.5 which fixes this vulnerability.
Starting with Oxygen Content Fusion v5.0.2 build 2022121305 Spring Security library was updated to v5.7.5 which fixes this vulnerability.