CVE-2016-4977
high
CVSS v3
8.8
CVSS v4 NEW
โ
VIR risk
8.8
Description
Spring Security OAuth vulnerable to remote code execution (RCE) via specially crafted request using whitelabel views
Predictions
Exploit likelihood
92%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.springframework.security.oauth:spring-security-oauth2 | >=2.0.0,<2.0.10 | 2.0.10 |
| Maven | org.springframework.security.oauth:spring-security-oauth2 | >=1.0.0,<1.0.5 | 1.0.5 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| pivotal | spring_security_oauth | 1.0.0 | |
| pivotal | spring_security_oauth | 1.0.1 | |
| pivotal | spring_security_oauth | 1.0.2 | |
| pivotal | spring_security_oauth | 1.0.3 | |
| pivotal | spring_security_oauth | 1.0.4 | |
| pivotal | spring_security_oauth | 1.0.5 | |
| pivotal | spring_security_oauth | 2.0.0 | |
| pivotal | spring_security_oauth | 2.0.1 | |
| pivotal | spring_security_oauth | 2.0.2 | |
| pivotal | spring_security_oauth | 2.0.3 | |
| pivotal | spring_security_oauth | 2.0.4 | |
| pivotal | spring_security_oauth | 2.0.5 | |
| pivotal | spring_security_oauth | 2.0.6 | |
| pivotal | spring_security_oauth | 2.0.7 | |
| pivotal | spring_security_oauth | 2.0.8 | |
| pivotal | spring_security_oauth | 2.0.9 | |
References
- http://www.openwall.com/lists/oss-security/2019/10/16/1
- https://lists.apache.org/thread.html/0841d849c23418c473ccb9183cbf41a317cb0476e44be48022ce3488%40%3Cdev.fineract.apache.org%3E
- https://lists.apache.org/thread.html/37d7e820fc65a768de3e096e98382d5529a52a039f093e59357d0bc0%40%3Cdev.fineract.apache.org%3E
- https://lists.apache.org/thread.html/5e6dd946635bbcc9e1f2591599ad0fab54f2dc3714196af3b17893f2%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/96c017115069408cec5e82ce1e6293facab398011f6db7e1befbe274%40%3Cdev.fineract.apache.org%3E
- https://pivotal.io/security/cve-2016-4977
- https://nvd.nist.gov/vuln/detail/CVE-2016-4977
- https://github.com/advisories/GHSA-7q9c-h23x-65fq
- https://lists.apache.org/thread.html/0841d849c23418c473ccb9183cbf41a317cb0476e44be48022ce3488@%3Cdev.fineract.apache.org%3E
- https://lists.apache.org/thread.html/37d7e820fc65a768de3e096e98382d5529a52a039f093e59357d0bc0@%3Cdev.fineract.apache.org%3E
- https://lists.apache.org/thread.html/5e6dd946635bbcc9e1f2591599ad0fab54f2dc3714196af3b17893f2@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/96c017115069408cec5e82ce1e6293facab398011f6db7e1befbe274@%3Cdev.fineract.apache.org%3E
CWEs
CWE-19
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.