Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.10

Type maven

Namespace org.springframework.security.oauth

Name spring-security-oauth2

Version 2.0.10

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version 2.0.15.RELEASE

Latest_non_vulnerable_version 2.5.2.RELEASE

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-rfwp-tv3x-zqak

vulnerability_id VCID-rfwp-tv3x-zqak

summary

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.

references

reference_url	https://lists.apache.org/thread.html/0841d849c23418c473ccb9183cbf41a317cb0476e44be48022ce3488@%3Cdev.fineract.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/0841d849c23418c473ccb9183cbf41a317cb0476e44be48022ce3488@%3Cdev.fineract.apache.org%3E

reference_url	https://lists.apache.org/thread.html/37d7e820fc65a768de3e096e98382d5529a52a039f093e59357d0bc0@%3Cdev.fineract.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/37d7e820fc65a768de3e096e98382d5529a52a039f093e59357d0bc0@%3Cdev.fineract.apache.org%3E

reference_url	https://lists.apache.org/thread.html/5e6dd946635bbcc9e1f2591599ad0fab54f2dc3714196af3b17893f2@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/5e6dd946635bbcc9e1f2591599ad0fab54f2dc3714196af3b17893f2@%3Cannounce.apache.org%3E

reference_url	https://lists.apache.org/thread.html/96c017115069408cec5e82ce1e6293facab398011f6db7e1befbe274@%3Cdev.fineract.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/96c017115069408cec5e82ce1e6293facab398011f6db7e1befbe274@%3Cdev.fineract.apache.org%3E

reference_url	http://www.openwall.com/lists/oss-security/2019/10/16/1
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2019/10/16/1

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-4977
reference_id	CVE-2016-4977
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-4977

reference_url	https://pivotal.io/security/cve-2016-4977
reference_id	CVE-2016-4977
reference_type
scores
url	https://pivotal.io/security/cve-2016-4977

reference_url	https://github.com/advisories/GHSA-7q9c-h23x-65fq
reference_id	GHSA-7q9c-h23x-65fq
reference_type
scores
url	https://github.com/advisories/GHSA-7q9c-h23x-65fq

fixed_packages

url	pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.10
purl	pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.10
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.10

aliases CVE-2016-4977, GHSA-7q9c-h23x-65fq

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rfwp-tv3x-zqak

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.0.10

Package Instance