Arbitrary Code Execution Affecting org.springframework.security.oauth:spring-security-oauth2 package, versions [,2.0.15.RELEASE) [2.1.0.RELEASE, 2.1.2.RELEASE) [2.2.0.RELEASE, 2.2.2.RELEASE) [2.3.0.RELEASE, 2.3.3.RELEASE)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITYOAUTH-31676
- published 10 May 2018
- disclosed 8 May 2018
- credit Philippe Arteau
How to fix?
Upgrade org.springframework.security.oauth:spring-security-oauth2 to version 2.0.15.RELEASE, 2.1.2.RELEASE, 2.2.2.RELEASE, 2.3.3.RELEASE or higher.
Overview
org.springframework.security.oauth:spring-security-oauth2 package that provides support for using Spring Security with OAuth (1a) and OAuth2.
Affected versions of this package are vulnerable to Arbitrary Code Execution. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to a remote code execution when the resource owner is forwarded to the approval endpoint.