CVE-2016-4977

Name of the Vulnerable Software and Affected Versions Spring Security OAuth versions 1.0.0 through 1.0.5 Spring Security OAuth versions 2.0.0 through 2.0.9

Description The issue allows a malicious user to trigger remote code execution by crafting the value for the response type parameter, which is executed as Spring SpEL when processing authorization requests using the whitelabel views.

Recommendations For versions 1.0.0 through 1.0.5, update to a version that fixes this issue. For versions 2.0.0 through 2.0.9, update to a version that fixes this issue. As a temporary workaround, consider restricting the use of the response type parameter in the affected API endpoint until a patch is available.