PT-2017-18084 · Pivotal · Spring Web Flow

He1Renyagao

Publicado

2017-11-27

Atualizado

2022-05-13

CVE-2017-8039

CVSS v3.1

5.9

Média

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Pivotal Spring Web Flow versions prior to 2.5

Description An issue was discovered in Pivotal Spring Web Flow where applications that do not change the value of the useSpringBinding property, which is disabled by default, can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

Recommendations For versions prior to 2.5, consider enabling the useSpringBinding property to mitigate the risk of exploitation. As a temporary workaround, restrict the use of view states that process form submissions without explicit data binding property mappings until a patch is available.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1188

Identificadores relacionados

CVE-2017-8039

GHSA-Q4V9-QJMW-J7VF

Produtos afetados

Spring Web Flow

PT-2017-18084 · Pivotal · Spring Web Flow

CVE-2017-8039

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5