Login Sign Up

CVE-2021-22119

7.5 HIGH
Denial of Service

📋 TL;DR

Spring Security OAuth 2.0 clients are vulnerable to denial-of-service attacks where attackers can exhaust system resources by repeatedly initiating authorization requests. This affects Spring Security 5.2.x through 5.5.x with OAuth 2.0 client web applications. The vulnerability allows resource exhaustion through both single and multiple sessions.

💻 Affected Systems

Products:
  • Spring Security
Versions: 5.2.x prior to 5.2.11, 5.3.x prior to 5.3.10, 5.4.x prior to 5.4.7, 5.5.x prior to 5.5.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using OAuth 2.0 client functionality with Authorization Code Grant flow in web or WebFlux applications.

📦 What is this software?

Communications Cloud Native Core Policy by Oracle

View all CVEs affecting Communications Cloud Native Core Policy →

Spring Security by Vmware

View all CVEs affecting Spring Security →

Spring Security by Vmware

View all CVEs affecting Spring Security →

Spring Security by Vmware

View all CVEs affecting Spring Security →

Spring Security by Vmware

View all CVEs affecting Spring Security →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially affecting all users of the application.

🟠

Likely Case

Degraded performance and intermittent service disruptions under targeted attack.

🟢

If Mitigated

Minimal impact with proper rate limiting and resource monitoring in place.

🌐 Internet-Facing: HIGH - OAuth 2.0 client applications are typically internet-facing and accessible to attackers.
🏢 Internal Only: MEDIUM - Internal applications could still be targeted by malicious insiders or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires no authentication and can be performed with simple HTTP requests. The technique is well-known for DoS attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.11, 5.3.10, 5.4.7, or 5.5.1

Vendor Advisory: https://spring.io/security/cve-2021-22119

Restart Required: Yes

Instructions:

1. Identify your Spring Security version. 2. Upgrade to the patched version for your release line. 3. Update dependencies in your build configuration. 4. Rebuild and redeploy your application. 5. Restart the application server.

🔧 Temporary Workarounds

Rate Limiting Implementation

all

Implement rate limiting on OAuth 2.0 authorization request endpoints to prevent resource exhaustion.

Session Limitation

all

Configure session management to limit concurrent sessions per user and implement session timeouts.

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to detect and block excessive authorization requests
  • Deploy resource monitoring and alerting for abnormal request patterns to OAuth endpoints

🔍 How to Verify

Check if Vulnerable:

Check your Spring Security version in pom.xml, build.gradle, or application dependencies. Verify if using OAuth 2.0 client with Authorization Code Grant.

Check Version:

For Maven: mvn dependency:tree | grep spring-security. For Gradle: gradle dependencies | grep spring-security.

Verify Fix Applied:

Confirm Spring Security version is 5.2.11+, 5.3.10+, 5.4.7+, or 5.5.1+. Test authorization request endpoints under load.

📡 Detection & Monitoring

Log Indicators:

  • High frequency of authorization request initiations
  • Abnormal session creation patterns
  • Resource exhaustion warnings in application logs

Network Indicators:

  • Multiple rapid requests to /oauth2/authorization/* endpoints
  • Unusual traffic patterns from single IPs to OAuth endpoints

SIEM Query:

source="application.logs" AND ("authorization request" OR "/oauth2/authorization/") | stats count by src_ip, user_agent | where count > threshold

📊 Metadata

CVE ID: CVE-2021-22119
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: June 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22119, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)