GHSA-q4q2-93pw-qwgf
GitHub Security Advisory
Issuer validation regression in Spring Cloud SSO Connector
Advisory Details
Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of the SSO Connector with tokens generated from another service plan.
### Mitigation
Users of affected versions should apply the following mitigation:
* Releases that have fixed this issue include:</p><ul><li>Spring Cloud SSO Connector: 2.1.3</li></ul>
* Alternatively, you can perform <u>one</u> of the following workarounds:</p><ul><li>Bind your resource server to the SSO service plan via a service instance binding</li><li>Set “sso.connector.cloud.available=true” within your Spring application properties</li></ul>
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.