CVE-2016-4977 – Spring Security OAuth2

Description

Kayran has detected that the Version of Spring Security OAuth being used is vulnerable to Remote Code Executions.
When processing authorization requests using the ‘whitelabel’ views in the versions being used, the ‘response_type’ parameter value is being executed as a Spring SpEL.

CVE-2016-4977 is categorized as a ‘Data Processing Error’ vulnerability (CWE-19).
Weaknesses in this category are typically found in everything related to the functionality that processes data.
Data processing is the manipulation of input to retrieve or save information.

Attackers could abuse it to trigger remote code executions through the crafting of the value for the ‘response_type’ parameter.

That could assist attackers in obtaining sensitive information (Information Disclosure).
There’s a chance that this vulnerability will allow attackers to modify system files and information.
It could also lead to a decrease in performance and interruptions in the availability of resources.

Recommendation

To fix CVE-2016-4977, upgrade the version of Spring Security OAuth being used to 2.0.10 or higher.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4977

https://cwe.mitre.org/data/definitions/19.html

< Return to all Vulnerabilities

What is Kayran

Kayran scanner is helping all businesses, both SMBs and enterprises, to test their online assets and products for over 30,000+ vulnerabilities.Kayran’s mission is to make

Read More »

The Dark Web

Let’s talk about the darker and more mysterious side of the internet, also known as The Dark Web. You’ve probably heard about it, whether it’s

Read More »