CVE-2016-4977 Remote Code Execution (RCE) in Spring Security OAuth


Severity

Important

Vendor

Spring by Pivotal

Versions Affected
  • 2.0.0 to 2.0.9
  • 1.0.0 to 1.0.5
Description

When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.

Mitigation

Users of affected versions should apply the following mitigation:

  • Users of 1.0.x should not use whitelabel views for approval and error pages
  • Users of 2.0.x should either not use whitelabel views for approval and error pages or upgrade to 2.0.10 or later
Credit

This issue was found by David Vieira-Kurz (@secalert) and reported by Oliver Schoenherr on behalf of Immobilien Scout GmbH.

References
History

2016-Jul-05: Initial vulnerability report published

2016-Aug-30: Update credit