CVE-2017-4971

Source
https://cve.org/CVERecord?id=CVE-2017-4971
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-4971.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-4971
Aliases
Published
2017-06-13T06:29:00.597Z
Modified
2026-07-08T11:48:48.883432Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

References

Affected packages

Git / github.com/spring-projects/spring-webflow

Affected ranges

Type
GIT
Repo
https://github.com/spring-projects/spring-webflow
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:pivotal:spring_web_flow:2.4.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:pivotal:spring_web_flow:2.4.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:pivotal:spring_web_flow:2.4.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:pivotal:spring_web_flow:2.4.4:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "2.4.0"
        },
        {
            "last_affected": "2.4.0"
        },
        {
            "introduced": "2.4.1"
        },
        {
            "last_affected": "2.4.1"
        },
        {
            "introduced": "2.4.2"
        },
        {
            "last_affected": "2.4.2"
        },
        {
            "introduced": "2.4.4"
        },
        {
            "last_affected": "2.4.4"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

2.*
2.4.0
2.4.1
2.4.2
2.4.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-4971.json"