Spring Security OAuth 2.3 CSRF cross-site request forgery vulnerability

Summary

OAuth is a login system from Pivotal Software that provides support for adding OAuth1 and OAuth2 functionality to SpringWeb applications.

Spring Security OAuth 2.3 has CSRF cross-site request forgery vulnerability. After the user has logged into the target website, the attacker induces the user to visit an attack page, and USES the trust of the target website on the user to launch the request of fake user operation on the attack page as a user to achieve the purpose of attack.


Solution

At present, the manufacturer has issued an update patch to fix the vulnerability, and the patch gets the link:

https://pivotal.io/security/cve-2019-11269