CVE-2017-8039

Source
https://cve.org/CVERecord?id=CVE-2017-8039
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8039.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-8039
Aliases
Published
2017-11-27T10:29:00.847Z
Modified
2026-07-08T11:36:27.086381Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.

References

Affected packages

Git / github.com/spring-projects/spring-webflow

Affected ranges

Type
GIT
Repo
https://github.com/spring-projects/spring-webflow
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:pivotal:spring_web_flow:2.4.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:pivotal:spring_web_flow:2.4.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:pivotal:spring_web_flow:2.4.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:pivotal:spring_web_flow:2.4.4:*:*:*:*:*:*:*",
        "cpe:2.3:a:pivotal:spring_web_flow:2.4.5:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "2.4.0"
        },
        {
            "last_affected": "2.4.0"
        },
        {
            "introduced": "2.4.1"
        },
        {
            "last_affected": "2.4.1"
        },
        {
            "introduced": "2.4.2"
        },
        {
            "last_affected": "2.4.2"
        },
        {
            "introduced": "2.4.4"
        },
        {
            "last_affected": "2.4.4"
        },
        {
            "introduced": "2.4.5"
        },
        {
            "last_affected": "2.4.5"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

2.*
2.4.0
2.4.1
2.4.2
2.4.4
2.4.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8039.json"