Medium severity6.1GHSA Advisory· Published Mar 20, 2024· Updated Apr 15, 2026
CVE-2024-22258
CVE-2024-22258
Description
Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients.
Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant.
An application is not vulnerable when a Public Client uses PKCE for the Authorization Code Grant.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-oauth2-authorization-serverMaven | < 1.1.6 | 1.1.6 |
org.springframework.security:spring-security-oauth2-authorization-serverMaven | >= 1.2.0, < 1.2.3 | 1.2.3 |
Affected products
2- Range: >= 1.2.0, < 1.2.3
- ghsa-coordsRange: < 1.1.6
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-x637-x8p3-5p22ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-22258ghsaADVISORY
- github.com/spring-projects/spring-authorization-serverghsaPACKAGE
- github.com/spring-projects/spring-authorization-server/commit/a7035d22bd2de6c24e7125623d38fb83d8f659a9ghsaWEB
- spring.io/security/cve-2024-22258nvdWEB
News mentions
0No linked articles in our index yet.