Client Secret not checked with OAuth Password grant type
The Client secret is not checked when using the OAuth Password grant type.
By exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment.
Exploitation requires valid credentials and does not permit the attacker to bypass user privileges.
Client Secret not checked with OAuth Password grant type
The Client secret is not checked when using the OAuth Password grant type.
By exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment.
Exploitation requires valid credentials and does not permit the attacker to bypass user privileges.
Uninstall the Web Server:
The OAuth web service is part of the Web Server for PcVue. If your system does not require the use of the Web & Mobile features, you should make sure not to install them.
Update the Web Deployment Console (WDC) and re deploy the Web Server:
Install a patched release of product, including the Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server.
Available patches:
Fixed in:
* PcVue 16.2.2
Configurations
Only the Web server where the Web & Mobile features are deployed are affected.
The Client secret is not checked when using the OAuth Password grant type.
By exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment.
Exploitation requires valid credentials and does not permit the attacker to bypass user privileges.