{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "1.0.0" }, { "introduced": "0" }, { "last_affected": "1.0.1" }, { "introduced": "0" }, { "last_affected": "1.0.2" }, { "introduced": "0" }, { "last_affected": "1.0.3" }, { "introduced": "0" }, { "last_affected": "1.0.4" }, { "introduced": "0" }, { "last_affected": "1.0.5" }, { "introduced": "0" }, { "last_affected": "2.0.0" }, { "introduced": "0" }, { "last_affected": "2.0.1" }, { "introduced": "0" }, { "last_affected": "2.0.2" }, { "introduced": "0" }, { "last_affected": "2.0.3" }, { "introduced": "0" }, { "last_affected": "2.0.4" }, { "introduced": "0" }, { "last_affected": "2.0.5" }, { "introduced": "0" }, { "last_affected": "2.0.6" }, { "introduced": "0" }, { "last_affected": "2.0.7" }, { "introduced": "0" }, { "last_affected": "2.0.8" }, { "introduced": "0" }, { "last_affected": "2.0.9" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "2d6640db09f3c3b7612ec3bf08e7ff8ff2b90cc7" }, { "introduced": "0" }, { "last_affected": "d648f056015c5a43e1f8f198180290a0721ef234" }, { "introduced": "0" }, { "last_affected": "cdf933e8ed1dddbfb5002b44917817c8a3a856ec" }, { "introduced": "0" }, { "last_affected": "7838c880ff8a58525095ebcbee1f7be6206c8f3e" }, { "introduced": "0" }, { "last_affected": "bbe9c54e336facd91db235718fafab8433bcf02b" }, { "introduced": "0" }, { "last_affected": "be52453f005b9f46532f7de5e30744784370522c" }, { "introduced": "0" }, { "last_affected": "e5f9ff3be7d9cf1101d96aa3e169e34f33421516" }, { "introduced": "0" }, { "last_affected": "15ae2a0a908352c123e7eb267e16e07af73f7951" }, { "introduced": "0" }, { "last_affected": "3249391c7c51ff93d48032f10baccba8163b4611" }, { "introduced": "0" }, { "last_affected": "691ffb197b25bd1ef93621f541fd87462557e1a5" }, { "introduced": "0" }, { "last_affected": "84cc3b3e25cc3d693be3bafc0a03ed669654ad2c" }, { "introduced": "0" }, { "last_affected": "1d2547f3dfeba5c249060ffc413b157603f022aa" }, { "introduced": "0" }, { "last_affected": "b38b3719b9b09fac39ad0d7a83dbad3a48ee1ca4" }, { "introduced": "0" }, { "last_affected": "9bbf9c605d37261fa1df039b6b34026340aaecb7" }, { "introduced": "0" }, { "last_affected": "37ed413a4c1cd14018b43156c4f76bbb9f9fd3c6" }, { "introduced": "0" }, { "last_affected": "8c9e8ec70eb50542ed86fd4e1d110137e6e8e96b" } ], "repo": "https://github.com/spring-projects/spring-security-oauth", "type": "GIT" } ] } ], "details": "When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.", "id": "CVE-2016-4977", "modified": "2026-03-13T21:49:35.379299165Z", "published": "2017-05-25T17:29:00.707Z", "references": [ { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2019/10/16/1" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0841d849c23418c473ccb9183cbf41a317cb0476e44be48022ce3488%40%3Cdev.fineract.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/37d7e820fc65a768de3e096e98382d5529a52a039f093e59357d0bc0%40%3Cdev.fineract.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5e6dd946635bbcc9e1f2591599ad0fab54f2dc3714196af3b17893f2%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/96c017115069408cec5e82ce1e6293facab398011f6db7e1befbe274%40%3Cdev.fineract.apache.org%3E" }, { "type": "ADVISORY", "url": "https://pivotal.io/security/cve-2016-4977" } ], "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }