All Vulnerability Reports

CVE-2016-4977 Remote Code Execution (RCE) in Spring Security OAuth

Severity

Important

Vendor

Spring by Pivotal

Versions Affected

• 2.0.0 to 2.0.9
• 1.0.0 to 1.0.5

Description

When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.

Mitigation

Users of affected versions should apply the following mitigation:

• Users of 1.0.x should not use whitelabel views for approval and error pages
• Users of 2.0.x should either not use whitelabel views for approval and error pages or upgrade to 2.0.10 or later

Credit

This issue was found by David Vieira-Kurz (@secalert) and reported by Oliver Schoenherr on behalf of Immobilien Scout GmbH.

References

• https://github.com/spring-projects/spring-security-oauth/commit/fff77d3fea477b566bcacfbfc95f85821a2bdc2d

History

2016-Jul-05: Initial vulnerability report published

2016-Aug-30: Update credit