CVE-2016-4977

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2016-4977

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4977.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2016-4977

Aliases

GHSA-7q9c-h23x-65fq

Published

2017-05-25T17:29:00.707Z

Modified

2026-02-12T00:00:50.101826Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the responsetype parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for responsetype.

References

Affected packages

Git / github.com/spring-projects/spring-security-oauth

Affected ranges

Type: GIT
Repo: https://github.com/spring-projects/spring-security-oauth
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

2d6640db09f3c3b7612ec3bf08e7ff8ff2b90cc7

Affected versions

1.*

1.0.0.M5

1.0.0.M6

1.0.0.M6a

1.0.0.M6b

1.0.0.M6d

1.0.0.RC1

1.0.0.RC2

1.0.0.RC3

1.0.0.RELEASE

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4977.json"