Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xNHY5LXFqbXctajd2Zs4AASbg
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.
Permalink: https://github.com/advisories/GHSA-q4v9-qjmw-j7vfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xNHY5LXFqbXctajd2Zs4AASbg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-q4v9-qjmw-j7vf, CVE-2017-8039
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-8039
- https://pivotal.io/security/cve-2017-8039
- http://www.securityfocus.com/bid/100849
- https://github.com/advisories/GHSA-q4v9-qjmw-j7vf
Affected Packages
maven:org.springframework.webflow:spring-webflow
Dependent packages: 614Dependent repositories: 1,943
Downloads:
Affected Version Ranges: <= 2.4.5
Fixed in: 2.4.6
All affected versions:
All unaffected versions: 3.0.0