CVE-2011-2730

Name of the Vulnerable Software and Affected Versions VMware SpringSource Spring Framework versions prior to 2.5.6.SEC03 VMware SpringSource Spring Framework versions prior to 2.5.7.SR023 VMware SpringSource Spring Framework versions prior to 3.0.6

Description The issue allows remote attackers to obtain sensitive information via specific attributes in various tags when a container supports Expression Language (EL). This is due to the evaluation of EL expressions in tags twice. The affected attributes include name in spring:hasBindErrors tags, path in spring:bind or spring:nestedpath tags, and several attributes in spring:message, spring:theme, and spring:transform tags, such as arguments, code, text, var, scope, message, and value.

Recommendations For versions prior to 2.5.6.SEC03, update to version 2.5.6.SEC03 or later. For versions prior to 2.5.7.SR023, update to version 2.5.7.SR023 or later. For versions prior to 3.0.6, update to version 3.0.6 or later. As a temporary workaround, consider restricting the use of Expression Language (EL) in tags until a patch is applied. Avoid using the vulnerable attributes in the affected tags to minimize the risk of exploitation.