Published: 27/11/2017 Updated: 03/10/2019

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

An issue exists in Pivotal Spring Web Flow up to and including 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pivotal spring web flow 2.4.1
pivotal spring web flow 2.4.4
pivotal spring web flow 2.4.5
pivotal spring web flow 2.4.0
pivotal spring web flow 2.4.2

An issue was discovered in Pivotal Spring Web Flow through 245 Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (ie, set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare exp ...

CWE-1188 https://pivotal.io/security/cve-2017-8039 http://www.securityfocus.com/bid/100849 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2017-8039

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2017-8039

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect