PKCE Downgrade Attack for Confidential Clients
CVE-2024-22258

6.1MEDIUM

Key Information:

Vendor: Spring
Status: Spring
Vendor: CVE Published:; 20 March 2024

What is CVE-2024-22258?

The vulnerability in Spring Authorization Server allows for a PKCE Downgrade Attack that specifically affects versions 1.0.0 through 1.2.2. This occurs when a Confidential Client utilizes PKCE (Proof Key for Code Exchange) during the Authorization Code Grant process. In such cases, an attacker could exploit the vulnerability to compromise the confidentiality and integrity of the authorization flow, making it crucial for organizations to apply security measures and updates to mitigate the risks associated with this vulnerability.

Affected Version(s)

Spring 1.0.x

Spring 1.0.x < 1.0.6

Spring 1.1.x < 1.1.6

References

https://spring.io/security/cve-2024-22258

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 20, 2024
Vulnerability Reserved
Jan 8, 2024