Published: 13/06/2017 Updated: 03/10/2019

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

VMScore: 384

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

An issue exists in Pivotal Spring Web Flow up to and including 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pivotal spring web flow 2.4.4
pivotal spring web flow 2.4.0
pivotal spring web flow 2.4.2
pivotal spring web flow 2.4.1

Please note Due to the large project size (including all commit data), we only publish the vulnerability fix data for now We are currently undergoing the company process to publish our model, and plan to publish it once complete Data Description: Vulnerability fixing commits Stored in csv format Columns: repo: A URL to the GitHub repository the commit belongs to (eg, &qu

cve-2017-4971

CVE-2017-4971 This is part of Cved: a tool to manage vulnerable docker containers Cved: githubcom/git-rep-src/cved Image source: githubcom/cved-sources/cve-2017-4971 Image author: githubcom/Medicean/VulApps/tree/master/s/springwebflow/1

CWE-1188 https://pivotal.io/security/cve-2017-4971 https://jira.spring.io/browse/SWF-1700 http://www.securityfocus.com/bid/98785 https://nvd.nist.gov https://github.com/2021-CONFDATA/2021-CONF-DATA https://github.com/cved-sources/cve-2017-4971

CVE-2017-4971

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect