CVE-2016-4977 Remote Code Execution (RCE) in Spring Security OAuth

Severity

Important

Vendor

Spring by Pivotal

Versions Affected

2.0.0 to 2.0.9
1.0.0 to 1.0.5

Description

When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.

Mitigation

Users of affected versions should apply the following mitigation:

Users of 1.0.x should not use whitelabel views for approval and error pages
Users of 2.0.x should either not use whitelabel views for approval and error pages or upgrade to 2.0.10 or later

Credit

This issue was found by David Vieira-Kurz (@secalert) and reported by Oliver Schoenherr on behalf of Immobilien Scout GmbH.

References

https://github.com/spring-projects/spring-security-oauth/commit/fff77d3fea477b566bcacfbfc95f85821a2bdc2d

History

2016-Jul-05: Initial vulnerability report published

2016-Aug-30: Update credit