GHSA-fg9w-cffm-pmh2

Source

https://github.com/advisories/GHSA-fg9w-cffm-pmh2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fg9w-cffm-pmh2/GHSA-fg9w-cffm-pmh2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fg9w-cffm-pmh2

Aliases

CVE-2017-4971

Published

2022-05-13T01:45:59Z

Modified

2023-11-08T03:59:21.329319Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Insecure Default Initialization of Resource in Pivotal Spring Web Flow

Details

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

Database specific

{
    "nvd_published_at": "2017-06-13T06:29:00Z",
    "github_reviewed_at": "2022-07-01T17:02:04Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1188"
    ]
}

References

Affected packages

Maven / org.springframework.webflow:spring-webflow

Package

Name: org.springframework.webflow:spring-webflow; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.webflow/spring-webflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.4.5

Affected versions

2.*

2.4.0.RELEASE

2.4.1.RELEASE

2.4.2.RELEASE

2.4.4.RELEASE

Database specific

{
    "last_known_affected_version_range": "<= 2.4.4"
}