High severityNVD Advisory· Published Dec 19, 2018· Updated Sep 16, 2024
Authorization Bypass During JWT Issuer Validation with spring-security
CVE-2018-15801
Description
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWTs with the malicious issuer URL that may be granted for the honest issuer.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | >= 5.1.0, < 5.1.2 | 5.1.2 |
org.springframework.security:spring-security-oauth2-joseMaven | >= 5.1.0, < 5.1.2 | 5.1.2 |
Affected products
1- Range: 5.1.x
Patches
2a0880f7ea97aRelease version 5.1.2.RELEASE
1 file changed · +1 −1
gradle.properties+1 −1 modified@@ -1 +1 @@ -version=5.1.2.BUILD-SNAPSHOT +version=5.1.2.RELEASE
c70b65c5df0eFavor URL.toExternalForm
2 files changed · +17 −6
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java+4 −3 modified@@ -37,7 +37,7 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> { "This iss claim is not equal to the configured issuer", "https://tools.ietf.org/html/rfc6750#section-3.1"); - private final URL issuer; + private final String issuer; /** * Constructs a {@link JwtIssuerValidator} using the provided parameters @@ -48,7 +48,7 @@ public JwtIssuerValidator(String issuer) { Assert.notNull(issuer, "issuer cannot be null"); try { - this.issuer = new URL(issuer); + this.issuer = new URL(issuer).toString(); } catch (MalformedURLException ex) { throw new IllegalArgumentException( "Invalid Issuer URL " + issuer + " : " + ex.getMessage(), @@ -63,7 +63,8 @@ public JwtIssuerValidator(String issuer) { public OAuth2TokenValidatorResult validate(Jwt token) { Assert.notNull(token, "token cannot be null"); - if (this.issuer.equals(token.getIssuer())) { + String tokenIssuer = token.getClaimAsString(JwtClaimNames.ISS); + if (this.issuer.equals(tokenIssuer)) { return OAuth2TokenValidatorResult.success(); } else { return OAuth2TokenValidatorResult.failure(INVALID_ISSUER);
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtIssuerValidatorTests.java+13 −3 modified@@ -23,9 +23,6 @@ import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult; import org.springframework.security.oauth2.jose.jws.JwsAlgorithms; -import org.springframework.security.oauth2.jwt.Jwt; -import org.springframework.security.oauth2.jwt.JwtClaimNames; -import org.springframework.security.oauth2.jwt.JwtIssuerValidator; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatCode; @@ -72,6 +69,19 @@ public void validateWhenIssuerMismatchesThenReturnsError() { assertThat(result.getErrors()).isNotEmpty(); } + @Test + public void validateWhenJwtHasNoIssuerThenReturnsError() { + Jwt jwt = new Jwt( + MOCK_TOKEN, + MOCK_ISSUED_AT, + MOCK_EXPIRES_AT, + MOCK_HEADERS, + Collections.singletonMap(JwtClaimNames.AUD, "https://aud")); + + OAuth2TokenValidatorResult result = this.validator.validate(jwt); + assertThat(result.getErrors()).isNotEmpty(); + } + @Test public void validateWhenJwtIsNullThenThrowsIllegalArgumentException() { assertThatCode(() -> this.validator.validate(null))
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-27xw-p8v6-9jjrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-15801ghsaADVISORY
- github.com/spring-projects/spring-security/commit/c70b65c5df0e170a2d34d812b83db0b7bc71ea25ghsaWEB
- pivotal.io/security/cve-2018-15801ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.