cvedb.io
CVE-2018-15801
HIGH · CVSS 7.4
EPSS exploitation probability: 0%
Published 2018-12-19T22:29:00.593 · Last modified 2026-06-17T01:43:07.673

Summary

Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWTs with the malicious issuer URL that may be granted for the honest issuer.

Affected products

vmware — spring_framework

Does this affect you?

Add your gear to cvedb and we'll alert you only when vmware ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.