CVE-2018-1260: Remote Code Execution with spring-security-oauth2
Spring Security OAuth, versions 2.3 prior to 2.3.3 and 2.2 prior to 2.2.2 and 2.1 prior to 2.1.2 and 2.0 prior to 2.0.15 and older unsupported versions, contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to a remote code execution when the resource owner is forwarded to the approval endpoint.
This vulnerability exposes applications that meet all of the following requirements:
- Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer)
- Use the default Approval Endpoint
This vulnerability does not expose applications that:
- Act in the role of an Authorization Server but override the default Approval Endpoint
- Act in the role of a Resource Server only (e.g. @EnableResourceServer)
- Act in the role of a Client only (e.g. @EnableOAuthClient)