=====================================================================

                                CERT-Renater

                     Note d'Information No. 2024/VULN140
_____________________________________________________________________

DATE                : 25/03/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running jupyter-server-proxy (pip) versions
                                     prior to 4.1.1, 3.2.3.

=====================================================================
https://spring.io/security/cve-2024-22258/
_____________________________________________________________________

CVE-2024-22258: PKCE Downgrade in Spring Authorization Server
MEDIUM | MARCH 19, 2024 | CVE-2024-22258
Description

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5,
1.2.0 - 1.2.2 and older unsupported versions are susceptible to a
PKCE Downgrade Attack for Confidential Clients.

Specifically, an application is vulnerable when a Confidential Client
uses PKCE for the Authorization Code Grant.

An application is not vulnerable when a Public Client uses PKCE for
the Authorization Code Grant.


Affected Spring Products and Versions

Spring Authorization Server

     1.0.0 - 1.0.5
     1.1.0 - 1.1.5
     1.2.0 - 1.2.2
     Older, unsupported versions are also affected


Mitigation
Users of affected versions should upgrade to the corresponding fixed
version.


Affected version(s)	Fix version	Availability

1.0.x   1.0.6     Enterprise Support Only
1.1.x   1.1.6     OSS
1.2.x   1.2.3     OSS


Credit

This issue was identified and responsibly reported by Pieter
Philippaerts ([email protected]).


References

 
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C/CR:L/IR:L/AR:X/MAV:N/MAC:L/MPR:N/MUI:R/MS:C/MC:L/MI:L/MA:N&version=3.1
     https://cwe.mitre.org/data/definitions/287.html


Reporting a vulnerability

To report a security vulnerability for a project within the
Spring portfolio, see the Security Policy


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================