CVE-2016-4977
published 2017-05-25CVE-2016-4977: When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value…
PriorityP187high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
79.18%
99.6th percentile
When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
| pivotal | spring_security_oauth | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/oauth/authorize?response_type=${13337*73331}&client_id=acme&scope=openid&redirect_uri=http://test
path/oauth/authorize
otherUnsupported response types: [978015547]
- →Exploit probe uses SpEL expression ${13337*73331} in the response_type parameter of the OAuth authorization endpoint; a vulnerable server will evaluate the expression and return the product 978015547 in the response body with HTTP 400.
- →The vulnerable parameter is response_type in GET requests to /oauth/authorize; any SpEL expression injected there will be executed server-side by the whitelabel views in Spring Security OAuth 2.0.0–2.0.9 and 1.0.0–1.0.5. ↗
- ·Vulnerability only exists when whitelabel views are used for approval and error pages; disabling whitelabel views mitigates the issue without patching.
- ·Affected versions are Spring Security OAuth 2.0.0–2.0.9 and 1.0.0–1.0.5; versions outside this range are not vulnerable.
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Spring Security OAuth vulnerable to remote code execution (RCE) via specially crafted request using whitelabel views
ghsa·2018-10-18
CVE-2016-4977 [HIGH] Spring Security OAuth vulnerable to remote code execution (RCE) via specially crafted request using whitelabel views
Spring Security OAuth vulnerable to remote code execution (RCE) via specially crafted request using whitelabel views
When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.
OSV
Spring Security OAuth vulnerable to remote code execution (RCE) via specially crafted request using whitelabel views
osv·2018-10-18
CVE-2016-4977 [HIGH] Spring Security OAuth vulnerable to remote code execution (RCE) via specially crafted request using whitelabel views
Spring Security OAuth vulnerable to remote code execution (RCE) via specially crafted request using whitelabel views
When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.
VulnCheck
Spring Security OAuth response_type Parameter Vulnerability
vulncheck·2016·CVSS 8.8
CVE-2016-4977 [HIGH] Spring Security OAuth response_type Parameter Vulnerability
Spring Security OAuth response_type Parameter Vulnerability
When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.
Affected: pivotal spring_security_oauth
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://research.checkpoint.com/2024/server-side-template-injection-transforming-web-applications-from-assets-to-liabilities/
Exploit PoC: https://vulncheck.com/xdb/0919eafe62d8
No detection rules found.
Nuclei
Spring Security OAuth2 Remote Command Execution
nuclei·CVSS 8.8
CVE-2016-4977 [HIGH] Spring Security OAuth2 Remote Command Execution
Spring Security OAuth2 Remote Command Execution
Spring Security OAuth versions 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5 contain a remote command execution vulnerability. When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote command execution via the crafting of the value for response_type.
Template:
id: CVE-2016-4977
info:
name: Spring Security OAuth2 Remote Command Execution
author: princechaddha
severity: high
description: Spring Security OAuth versions 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5 contain a remote command execution vulnerability. When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which
http://www.openwall.com/lists/oss-security/2019/10/16/1https://lists.apache.org/thread.html/0841d849c23418c473ccb9183cbf41a317cb0476e44be48022ce3488%40%3Cdev.fineract.apache.org%3Ehttps://lists.apache.org/thread.html/37d7e820fc65a768de3e096e98382d5529a52a039f093e59357d0bc0%40%3Cdev.fineract.apache.org%3Ehttps://lists.apache.org/thread.html/5e6dd946635bbcc9e1f2591599ad0fab54f2dc3714196af3b17893f2%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/96c017115069408cec5e82ce1e6293facab398011f6db7e1befbe274%40%3Cdev.fineract.apache.org%3Ehttps://pivotal.io/security/cve-2016-4977http://www.openwall.com/lists/oss-security/2019/10/16/1https://lists.apache.org/thread.html/0841d849c23418c473ccb9183cbf41a317cb0476e44be48022ce3488%40%3Cdev.fineract.apache.org%3Ehttps://lists.apache.org/thread.html/37d7e820fc65a768de3e096e98382d5529a52a039f093e59357d0bc0%40%3Cdev.fineract.apache.org%3Ehttps://lists.apache.org/thread.html/5e6dd946635bbcc9e1f2591599ad0fab54f2dc3714196af3b17893f2%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/96c017115069408cec5e82ce1e6293facab398011f6db7e1befbe274%40%3Cdev.fineract.apache.org%3Ehttps://pivotal.io/security/cve-2016-4977
2017-05-25
Published
Exploited in the wild