Vulnerability CVE-2017-4971


Published: 2017-06-13

Description:
An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

Type:

CWE-1188

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Pivotal -> Spring web flow 

 References:
http://www.securityfocus.com/bid/98785
https://jira.spring.io/browse/SWF-1700
https://pivotal.io/security/cve-2017-4971

Copyright 2024, cxsecurity.com

 

Back to Top