org.cloudfoundry:cf-gradle-plugin (>=1.0.1 <=1.0.3), org.cloudfoundry:cf-maven-plugin (>=1.0.1 <=1.0.3) +5 more potentially affected by CVE-2016-4977 via org.springframework.security.oauth:spring-security-oauth2 (>=1.0.0.RELEASE <=1.0.2.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =1.0.0.RELEASE, =1.0.1, =1.0.1, =1.0.1, =0.9.0, =0.9.0, =0.9.0, =0.9.0, =1.0.22 Source cves: CVE-2016-4977 Source advisory: OSV:GHSA-7Q9C-H23X-65FQ...

jp.co.ap-com:spring-oauth2-serializable (=0.0.1) potentially affected by CVE-2016-4977 via org.springframework.security.oauth:spring-security-oauth2 (=2.0.0.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.0.0.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security.oauth:spring-security-oauth2 and may be impacted: -...

CVE-2016-4977

CVE-2016-4977 affects Spring Security OAuth versions 2.0.0–2.0.9 and 1.0.0–1.0.5. The root cause is that, during authorization requests using the whitelabel views, the response_type parameter is evaluated as Spring SpEL, enabling remote code execution. This can lead to remote command execution on...

CVE-2 0 1 6-4 9 7 7: RCE in Spring Security Oauth vulnerability analysis-vulnerability warning-the black bar safety net

Version affected Pivotal Spring Security OAuth 2.0 – 2.0.9 Pivotal Spring Security OAuth 1.0 – 1.0.5 Background A few months ago, I for one use Spring Security OAuth framework for authorization of the Web application were tested. In my research, I discovered some issues, including remote code...