CVE-2017-4971

Published: Jun 13, 2017Modified: May 13, 2026

5.9

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

Affected (4)

Products: Pivotal: Spring Web Flow

1 product

Spring Web Flow

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Pivotal Spring Web Flow	Version 2.4.0
Pivotal Spring Web Flow	Version 2.4.1
Pivotal Spring Web Flow	Version 2.4.2
Pivotal Spring Web Flow	Version 2.4.4

Related CWEs

Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

References (6)

http://www.securityfocus.com/bid/98785

Source: security_alert@emc.com

Third Party AdvisoryVDB Entry

https://jira.spring.io/browse/SWF-1700

Source: security_alert@emc.com

Issue TrackingPatch

https://pivotal.io/security/cve-2017-4971

Source: security_alert@emc.com

MitigationPatchVendor Advisory

http://www.securityfocus.com/bid/98785

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://jira.spring.io/browse/SWF-1700

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatch

https://pivotal.io/security/cve-2017-4971

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationPatchVendor Advisory

Timeline

No history available yet.