← Back

CVE-2017-8039

nvd nist
Published: Nov 27, 2017Modified: May 13, 2026

JSON object

Loading...
5.9
Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Exploitability: 2.2 / Impact: 3.6
Source: NVD

Description

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.

Affected (5)

Pivotal
1 product
Spring Web Flow
Configuration A
5 vulnerable
Vulnerable SoftwareAffected Versions
Pivotal
Spring Web Flow
Version 2.4.0
Spring Web Flow
Version 2.4.1
Spring Web Flow
Version 2.4.2
Spring Web Flow
Version 2.4.4
Spring Web Flow
Version 2.4.5

Related CWEs

CWE-1188
Initialization of a Resource with an Insecure Default
The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

References (4)

Source: security_alert@emc.com
Third Party AdvisoryVDB Entry
Source: security_alert@emc.com
Issue TrackingMitigationVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingMitigationVendor Advisory

Timeline

No history available yet.