Description

Spring Security OAuth, versions 2.3 prior to 2.3.3 and 2.2 prior to 2.2.2 and 2.1 prior to 2.1.2 and 2.0 prior to 2.0.15 and older unsupported versions, contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to a remote code execution when the resource owner is forwarded to the approval endpoint.

This vulnerability exposes applications that meet all of the following requirements:

• Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer)
• Use the default Approval Endpoint

This vulnerability does not expose applications that:

• Act in the role of an Authorization Server but override the default Approval Endpoint
• Act in the role of a Resource Server only (e.g. @EnableResourceServer)
• Act in the role of a Client only (e.g. @EnableOAuthClient)

Affected Spring Products and Versions

• Spring Security OAuth 2.3 to 2.3.2
• Spring Security OAuth 2.2 to 2.2.1
• Spring Security OAuth 2.1 to 2.1.1
• Spring Security OAuth 2.0 to 2.0.14
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 2.3.x users should upgrade to 2.3.3
• 2.2.x users should upgrade to 2.2.2
• 2.1.x users should upgrade to 2.1.2
• 2.0.x users should upgrade to 2.0.15
• Older versions should upgrade to a supported branch

There are no other mitigation steps required.

Credit

This issue was identified and responsibly reported by Philippe Arteau from GoSecure.

References

• Spring Security OAuth http://projects.spring.io/spring-security-oauth/docs/oauth2.html'>documentation</a>;, see section "Authorization Server Configuration"
• Example configuration for https://github.com/spring-projects/spring-security-oauth/blob/master/tests/annotation/approval/src/main/java/demo/Application.java#L36'>@EnableAuthorizationServer</a>

History

2018-05-09: Initial vulnerability report published