Spring Security OAuth, versions 2.3 prior to 2.3.3 and 2.2 prior to 2.2.2 and 2.1 prior to 2.1.2 and 2.0 prior to 2.0.15 and older unsupported versions, contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to a remote code execution when the resource owner is forwarded to the approval endpoint.

This vulnerability exposes applications that meet all of the following requirements:

• Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer)
• Use the default Approval Endpoint

This vulnerability does not expose applications that:

• Act in the role of an Authorization Server but override the default Approval Endpoint
• Act in the role of a Resource Server only (e.g. @EnableResourceServer)
• Act in the role of a Client only (e.g. @EnableOAuthClient)

• Spring Security OAuth 2.3 to 2.3.2
• Spring Security OAuth 2.2 to 2.2.1
• Spring Security OAuth 2.1 to 2.1.1
• Spring Security OAuth 2.0 to 2.0.14
• Older unsupported versions are also affected

Users of affected versions should apply the following mitigation:

• 2.3.x users should upgrade to 2.3.3
• 2.2.x users should upgrade to 2.2.2
• 2.1.x users should upgrade to 2.1.2
• 2.0.x users should upgrade to 2.0.15
• Older versions should upgrade to a supported branch

There are no other mitigation steps required.

This issue was identified and responsibly reported by Philippe Arteau from GoSecure.