PT-2017-16234 · Pivotal · Spring Web Flow

Stefano Ciccone

Published

2017-06-13

Updated

2022-05-13

CVE-2017-4971

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Pivotal Spring Web Flow versions prior to 2.4.5

Description The issue concerns malicious EL expressions in view states that process form submissions. This can affect applications that do not change the value of the useSpringBinding property, which is disabled by default.

Recommendations For versions prior to 2.4.5, update to version 2.4.5 or later to resolve the issue. As a temporary workaround, consider enabling the useSpringBinding property to prevent malicious EL expressions.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1188

Related Identifiers

CVE-2017-4971

GHSA-FG9W-CFFM-PMH2

Affected Products

Spring Web Flow

PT-2017-16234 · Pivotal · Spring Web Flow

CVE-2017-4971

Weakness Enumeration

Related Identifiers

Affected Products

References · 7