A vulnerability in Pivotal Spring Security OAuth could allow an unauthenticated, remote attacker to conduct an open redirect attack on a targeted system.
The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending a request using the authorization code grant type to the targeted system and specifying a malicious redirection URI using the redirect_url parameter. A successful exploit could cause the authorization server to redirect the resource owner user-agent to an attacker-controlled URI, providing the attacker with sensitive information (such an authorization code) which could be used to conduct further attacks.
Pivotal Software has confirmed the vulnerability and released software updates.
Security Impact Rating: Critical