cbcvebase.
CVE-2016-4977
published 2017-05-25

CVE-2016-4977: When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value…

PriorityP187high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
79.18%
99.6th percentile
When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.

Affected

18 ranges
VendorProductVersion rangeFixed in
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth
pivotalspring_security_oauth

Detection & IOCsextracted from sources · hover to see the quote

url/oauth/authorize?response_type=${13337*73331}&client_id=acme&scope=openid&redirect_uri=http://test
path/oauth/authorize
otherUnsupported response types: [978015547]
  • Exploit probe uses SpEL expression ${13337*73331} in the response_type parameter of the OAuth authorization endpoint; a vulnerable server will evaluate the expression and return the product 978015547 in the response body with HTTP 400.
  • The vulnerable parameter is response_type in GET requests to /oauth/authorize; any SpEL expression injected there will be executed server-side by the whitelabel views in Spring Security OAuth 2.0.0–2.0.9 and 1.0.0–1.0.5.
  • ·Vulnerability only exists when whitelabel views are used for approval and error pages; disabling whitelabel views mitigates the issue without patching.
  • ·Affected versions are Spring Security OAuth 2.0.0–2.0.9 and 1.0.0–1.0.5; versions outside this range are not vulnerable.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.