Remote Code Execution (RCE) in Spring Security OAuth

Description
  • Spring Security OAuth provides support for using Spring Security with OAuth (1a) and OAuth2 using standard Spring and Spring Security programming models and configuration idioms.

    When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.
Remediation
  • Users of affected versions should apply the following mitigation:
    • Users of 1.0.x should not use whitelabel views for approval and error pages
    • Users of 2.0.x should either not use whitelabel views for approval and error pages or upgrade to 2.0.10 or later
References