CVE-2017-8039

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-8039
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8039.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-8039
Aliases
Withdrawn
2024-05-15T05:33:05.486237Z
Published
2017-11-27T10:29:00Z
Modified
2023-11-29T06:14:37.392697Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.

References

Affected packages

Git / github.com/spring-projects/spring-webflow

Affected ranges

Type
GIT
Repo
https://github.com/spring-projects/spring-webflow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b38d586b6a047467c3c79c95fca8d432bd1061ce
Last affected
ce98990cc6362cacb307add3a3d1cb6f1295cf63
Last affected
1a125e5801039ffa959934d31939217be73b88c8
Last affected
fb72d3227d230f347baf5ccce529e87c4fba93bf
Last affected
57f2ccb66946943fbf3b3f2165eac1c8eb6b1523

Affected versions

v2.*

v2.3.1.RELEASE
v2.4.0.M1
v2.4.0.RELEASE
v2.4.1.RELEASE
v2.4.2.RELEASE
v2.4.4.RELEASE