CVE-2018-1256: Issuer validation regression in Spring Cloud SSO Connector

May 13, 2022 (updated January 8, 2024)

Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of the SSO Connector with tokens generated from another service plan.

References

github.com/advisories/GHSA-q4q2-93pw-qwgf
nvd.nist.gov/vuln/detail/CVE-2018-1256
pivotal.io/security/cve-2018-1256

Detect and mitigate CVE-2018-1256 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →