VYPR
Medium severity6.1GHSA Advisory· Published Mar 20, 2024· Updated Apr 15, 2026

CVE-2024-22258

CVE-2024-22258

Description

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients.

Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant.

An application is not vulnerable when a Public Client uses PKCE for the Authorization Code Grant.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework.security:spring-security-oauth2-authorization-serverMaven
< 1.1.61.1.6
org.springframework.security:spring-security-oauth2-authorization-serverMaven
>= 1.2.0, < 1.2.31.2.3

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.