VYPR
← All advisories
High severityOSV Advisory· Published Dec 30, 2018· Updated Aug 5, 2024

CVE-2018-20595

CVE-2018-20595

Description

CSRF vulnerability in hsweb OAuth2 client due to missing state parameter validation allows attackers to perform unauthorized actions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CSRF vulnerability in hsweb OAuth2 client due to missing state parameter validation allows attackers to perform unauthorized actions.

Vulnerability

A CSRF issue exists in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 and earlier [1]. The OAuth2 callback does not compare the state parameter from the request with the state stored in the user's session after successful authentication, allowing CSRF attacks [1][4].

Exploitation

An attacker can craft a malicious link or webpage that initiates an OAuth2 authorization flow. Once the victim authenticates and is redirected back to the callback URL, the lack of state validation allows the attacker to bind the victim's session to an OAuth2 token controlled by the attacker [1][4].

Impact

Successful exploitation enables the attacker to perform actions on behalf of the victim, potentially leading to account takeover or unauthorized access to protected resources [4].

Mitigation

The issue is fixed in commit [3], which adds a check comparing the state parameter from the request with the cached session state. Users should upgrade to hsweb version later than 3.0.4. If upgrading is not possible, no workaround is documented.

References
  1. NVD - CVE-2018-20595
  2. fix #107 csrf · hs-web/hsweb-framework@40929e9
  3. CVE-2018-20595 - GitHub Advisory Database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.hswebframework.web:hsweb-commonsMaven
<= 3.0.4

Affected products

2

Patches

1
40929e9b0d33

fix #107 csrf

https://github.com/hs-web/hsweb-frameworkzhouhaoDec 29, 2018via ghsa
commit
2 files changed · +7 1
  • hsweb-authorization/hsweb-authorization-oauth2/hsweb-authorization-oauth2-core/src/main/java/org/hswebframework/web/oauth2/core/ErrorType.java+2 0 modified
    @@ -57,6 +57,8 @@ public enum ErrorType {
 
     USER_NOT_EXIST(4041),//客户端不存在
 
+    STATE_ERROR(4042), //stat错误
+
     ACCESS_DENIED(503), //访问被拒绝
 
     OTHER(5001), //其他错误 ;
  • hsweb-system/hsweb-system-oauth2-client/hsweb-system-oauth2-client-web/src/main/java/org/hswebframework/web/authorization/oauth2/controller/OAuth2ClientController.java+5 1 modified
    @@ -20,12 +20,14 @@
 
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
+import org.hswebframework.web.BusinessException;
 import org.hswebframework.web.WebUtil;
 import org.hswebframework.web.authorization.oauth2.client.OAuth2RequestService;
 import org.hswebframework.web.authorization.oauth2.client.listener.OAuth2CodeAuthBeforeEvent;
 import org.hswebframework.web.controller.message.ResponseMessage;
 import org.hswebframework.web.entity.oauth2.client.OAuth2ServerConfigEntity;
 import org.hswebframework.web.id.IDGenerator;
+import org.hswebframework.web.oauth2.core.ErrorType;
 import org.hswebframework.web.oauth2.core.OAuth2Constants;
 import org.hswebframework.web.service.oauth2.client.OAuth2ServerConfigService;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -104,7 +106,9 @@ public RedirectView callback(@RequestParam(defaultValue = "/") String redirect,
                                  HttpSession session) throws UnsupportedEncodingException {
         try {
             String cachedState = (String) session.getAttribute(STATE_SESSION_KEY);
-            //  if (!state.equals(cachedState)) throw new BusinessException("state error");
+            if (!state.equals(cachedState)) {
+                throw new BusinessException(ErrorType.STATE_ERROR.name());
+            }
             oAuth2RequestService.doEvent(serverId, new OAuth2CodeAuthBeforeEvent(code, state, request::getParameter));
             return new RedirectView(URLDecoder.decode(redirect, "UTF-8"));
         } finally {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.