CVE-2016-4977 – Spring Security OAuth2

Description

Cytrix has detected that the Version of Spring Security OAuth being used is vulnerable to Remote Code Executions.
When processing authorization requests using the ‘whitelabel’ views in the versions being used, the ‘response_type’ parameter value is being executed as a Spring SpEL.

CVE-2016-4977 is categorized as a ‘Data Processing Error’ vulnerability (CWE-19).
Weaknesses in this category are typically found in everything related to the functionality that processes data.
Data processing is the manipulation of input to retrieve or save information.

Attackers could abuse it to trigger remote code executions through the crafting of the value for the ‘response_type’ parameter.

That could assist attackers in obtaining sensitive information (Information Disclosure).
There’s a chance that this vulnerability will allow attackers to modify system files and information.
It could also lead to a decrease in performance and interruptions in the availability of resources.

Recommendation

To fix CVE-2016-4977, upgrade the version of Spring Security OAuth being used to 2.0.10 or higher.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4977

https://cwe.mitre.org/data/definitions/19.html

< Return to all Vulnerabilities

Explaining API

We’ve talked about API’s Vulnerability in here, but i feel like there’s much more to talk about and explain since this is a big and

Read More »

The Dark Web

Let’s talk about the darker and more mysterious side of the internet, also known as The Dark Web. You’ve probably heard about it, whether it’s

Read More »

Browser Exploitation

We know that it’s possible to exploit weaknesses (or vulnerabilities) that exist in anything, from a certain code to the entire application, let’s talk about

Read More »