CVE-2022-31690 - Privilege Escalation

Severity: None2022-11-18

Security Advisories


Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token.

The Oxygen products incorporate Spring Security as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback v2.1.3 and olderNone Oxygen Feedback 2.1.4 build 2022111716
Oxygen Content Fusion v5.0.1 and olderNone Content Fusion 5.0.2 build 2022121305





Severity: High

CVSS Score: 8.1

The Spring Security third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-31690 vulnerability description. However, the Access Token returned by Oxygen Feedback does not contain an empty scope list. For that reason, Oxygen XML products are not affected by this vulnerability

Starting with Oxygen Feedback v2.1.4 build 2022111716 Spring Security library was updated to v5.7.5 which fixes this vulnerability.

Starting with Oxygen Content Fusion v5.0.2 build 2022121305 Spring Security library was updated to v5.7.5 which fixes this vulnerability.

List of Security Advisories