spring-security-oauth2 is vulnerable to remote code execution (RCE) attacks. The vulnerability occurs when a malicious user can insert an RCE payload into an authorization request to the authroization endpoint, and is executed when the resource owner is forwarded to the approval endpoint. This vulnerability only affects applications that contains the role of an Authorization Server
, and the use of the default Approval Endpoint
.
github.com/spring-projects/spring-security-oauth/commit/1c6815ac1b26fb2f079adbe283c43a7fd0885f3d
github.com/spring-projects/spring-security-oauth/commit/6b1791179c1092553aa0690da22dac4dff2fc58d
github.com/spring-projects/spring-security-oauth/commit/8e9792c1963f1aeea81ca618785eb8d71d1cd1d2
github.com/spring-projects/spring-security-oauth/commit/adb1e6d19c681f394c9513799b81b527b0cb007c
github.com/spring-projects/spring-security-oauth/issues/1340
pivotal.io/security/cve-2018-1260