CVE-2017-4971

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
References
Link Resource
http://www.securityfocus.com/bid/98785 Third Party Advisory VDB Entry
https://jira.spring.io/browse/SWF-1700 Issue Tracking Patch
https://pivotal.io/security/cve-2017-4971 Mitigation Patch Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:pivotal:spring_web_flow:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:pivotal:spring_web_flow:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:pivotal:spring_web_flow:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:pivotal:spring_web_flow:2.4.4:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-06-13 06:29

Updated : 2019-10-03 00:03


NVD link : CVE-2017-4971

Mitre link : CVE-2017-4971


JSON object : View

Products Affected

pivotal

  • spring_web_flow
CWE
CWE-1188

Insecure Default Initialization of Resource