CVE-2017-4971

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-4971
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-4971.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-4971
Aliases
Withdrawn
2024-05-15T05:31:15.322773Z
Published
2017-06-13T06:29:00Z
Modified
2023-11-29T06:12:28.168320Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

References

Affected packages

Git / github.com/spring-projects/spring-webflow

Affected ranges

Type
GIT
Repo
https://github.com/spring-projects/spring-webflow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b38d586b6a047467c3c79c95fca8d432bd1061ce
Last affected
ce98990cc6362cacb307add3a3d1cb6f1295cf63
Last affected
1a125e5801039ffa959934d31939217be73b88c8
Last affected
fb72d3227d230f347baf5ccce529e87c4fba93bf

Affected versions

v2.*

v2.3.1.RELEASE
v2.4.0.M1
v2.4.0.RELEASE
v2.4.1.RELEASE
v2.4.2.RELEASE
v2.4.4.RELEASE