PT-2017-18084 · Pivotal · Spring Web Flow

He1Renyagao

Published

2017-11-27

Updated

2022-05-13

CVE-2017-8039

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Pivotal Spring Web Flow versions prior to 2.5

Description An issue was discovered in Pivotal Spring Web Flow where applications that do not change the value of the useSpringBinding property, which is disabled by default, can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

Recommendations For versions prior to 2.5, consider enabling the useSpringBinding property to mitigate the risk of exploitation. As a temporary workaround, restrict the use of view states that process form submissions without explicit data binding property mappings until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1188

Related Identifiers

CVE-2017-8039

GHSA-Q4V9-QJMW-J7VF

Affected Products

Spring Web Flow

PT-2017-18084 · Pivotal · Spring Web Flow

CVE-2017-8039

Weakness Enumeration

Related Identifiers

Affected Products

References · 5