The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-22119

CVE-2021-22119: VMware Spring Security DoS Vulnerability

CVE-2021-22119 is a Denial-of-Service flaw in VMware Spring Security that allows attackers to exhaust system resources through OAuth 2.0 authorization requests. This article covers technical details, affected versions, and mitigation.

Published: February 25, 2026

CVE-2021-22119 Overview

CVE-2021-22119 is a Denial of Service (DoS) vulnerability affecting VMware Spring Security, a widely-used authentication and access-control framework for Java applications. The vulnerability exists in the OAuth 2.0 Client implementation for both Web and WebFlux applications, where a malicious user can exhaust system resources by sending multiple Authorization Request initiations for the Authorization Code Grant flow.

This vulnerability allows attackers to exploit the authorization request mechanism without authentication, potentially causing service disruption through resource exhaustion using either a single session or multiple concurrent sessions.

Critical Impact

Unauthenticated attackers can cause service unavailability by exhausting system resources through repeated OAuth 2.0 Authorization Request initiations, impacting application availability for legitimate users.

Affected Products

  • VMware Spring Security versions 5.5.x prior to 5.5.1
  • VMware Spring Security versions 5.4.x prior to 5.4.7
  • VMware Spring Security versions 5.3.x prior to 5.3.10
  • VMware Spring Security versions 5.2.x prior to 5.2.11
  • Oracle Communications Cloud Native Core Policy version 1.14.0

Discovery Timeline

  • June 29, 2021 - CVE-2021-22119 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-22119

Vulnerability Analysis

The vulnerability stems from improper resource management in Spring Security's OAuth 2.0 Client implementation. When an application uses Spring Security's OAuth 2.0 Client module for authentication via the Authorization Code Grant flow, each authorization request initiation consumes server-side resources to maintain state information.

The weakness is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-863 (Incorrect Authorization). The OAuth 2.0 authorization flow requires the server to store authorization request attributes, typically in session storage, to validate the callback response. Without proper controls, an attacker can repeatedly initiate authorization requests, causing the server to allocate memory and processing resources for each request without completing the authentication flow.

This resource exhaustion attack is particularly effective because no authentication is required to initiate the authorization request, making it trivial for attackers to launch. The attack can be executed over the network without user interaction, targeting the availability of the affected application.

Root Cause

The root cause lies in the lack of rate limiting and resource constraints on OAuth 2.0 authorization request initiations within Spring Security's OAuth2AuthorizationRequestRedirectFilter. The framework did not implement adequate protections against repeated authorization request initiations from the same session or IP address, allowing unbounded resource allocation.

When processing authorization requests, the DefaultOAuth2AuthorizationRequestResolver creates and stores authorization request objects that persist until the OAuth flow completes or times out. Without proper cleanup mechanisms or limits on pending requests, memory and processing resources can be exhausted.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

  1. Identifying an endpoint that triggers OAuth 2.0 authorization (typically /oauth2/authorization/{registrationId})
  2. Sending multiple HTTP requests to initiate authorization flows
  3. Not completing the authorization callback, leaving resources allocated
  4. Repeating this process rapidly to exhaust server resources

The attack can be amplified by using multiple sessions or distributed sources, making it difficult to distinguish from legitimate traffic without proper monitoring.

Detection Methods for CVE-2021-22119

Indicators of Compromise

  • Abnormally high number of requests to OAuth 2.0 authorization endpoints (/oauth2/authorization/*)
  • Rapid increase in session creation without corresponding authentication completions
  • Memory utilization spikes in application servers handling OAuth flows
  • Elevated JVM heap usage without proportional increase in authenticated users

Detection Strategies

  • Monitor request rates to OAuth 2.0 authorization endpoints and alert on anomalous spikes
  • Track the ratio of authorization initiations to successful authentication completions
  • Implement application performance monitoring (APM) to detect resource exhaustion patterns
  • Use web application firewalls (WAF) to identify and block rapid repeated requests to authorization endpoints

Monitoring Recommendations

  • Configure logging for OAuth 2.0 authorization request events with source IP tracking
  • Set up alerts for session storage threshold breaches
  • Monitor garbage collection frequency and duration as an indicator of memory pressure
  • Implement distributed tracing to identify incomplete OAuth flows

How to Mitigate CVE-2021-22119

Immediate Actions Required

  • Upgrade Spring Security to patched versions: 5.5.1+, 5.4.7+, 5.3.10+, or 5.2.11+
  • Implement rate limiting on OAuth 2.0 authorization endpoints at the application or infrastructure layer
  • Configure session timeout policies to clean up abandoned authorization requests
  • Review and restrict access to OAuth 2.0 client endpoints where possible

Patch Information

VMware has released security patches addressing this vulnerability. Organizations should upgrade to the following minimum versions:

  • Spring Security 5.5.x: Upgrade to version 5.5.1 or later
  • Spring Security 5.4.x: Upgrade to version 5.4.7 or later
  • Spring Security 5.3.x: Upgrade to version 5.3.10 or later
  • Spring Security 5.2.x: Upgrade to version 5.2.11 or later

For detailed patch information, refer to the VMware CVE-2021-22119 Advisory. Oracle customers should consult the Oracle CPU January 2022 Alert for guidance on affected Oracle products.

Workarounds

  • Deploy a reverse proxy or WAF with rate limiting configured for OAuth endpoints
  • Implement IP-based request throttling for authorization initiation endpoints
  • Configure shorter session timeouts to reduce the window for resource accumulation
  • Consider disabling OAuth 2.0 client functionality if not required for application operation
bash
# Example: Rate limiting OAuth endpoints with nginx
# Add to nginx configuration for the affected application

limit_req_zone $binary_remote_addr zone=oauth_limit:10m rate=10r/s;

location /oauth2/authorization/ {
    limit_req zone=oauth_limit burst=20 nodelay;
    limit_req_status 429;
    proxy_pass http://backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechVmware Spring Security
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability4.90%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-400
  • CWE-863
  • Technical References
  • Apache NiFi Security Discussion
  • Apache Pluto Security Thread
  • Apache Pluto Security Update
  • Apache Pluto Security Inquiry
  • Apache Pluto Patch Discussion
  • Apache Pluto SCM Update
  • Oracle CPU July 2022 Alert
  • Vendor Resources
  • VMware CVE-2021-22119 Advisory
  • Oracle CPU January 2022 Alert
  • Related CVEs
  • CVE-2022-31690: Spring Security Privilege Escalation Flaw
  • CVE-2023-34034: Spring Security Auth Bypass Vulnerability
  • CVE-2022-22978: Spring Security Auth Bypass Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English