Lucene search

[email protected]CVE-2017-4971

HistoryJun 13, 2017 - 6:29 a.m.

CVE-2017-4971

2017-06-1306:29:00

CWE-1188

[email protected]

web.nvd.nist.gov

pivotal

spring web flow

cve-2017-4971

security vulnerability

nvd

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

5.6 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.259 Low

EPSS

Percentile

96.7%

JSON

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to ‘false’) can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

CPENameOperatorVersion
pivotal:spring_web_flowpivotal spring web floweq2.4.4
pivotal:spring_web_flowpivotal spring web floweq2.4.1
pivotal:spring_web_flowpivotal spring web floweq2.4.0
pivotal:spring_web_flowpivotal spring web floweq2.4.2

CPE	Name	Operator	Version
pivotal:spring_web_flow	pivotal spring web flow	eq	2.4.4
pivotal:spring_web_flow	pivotal spring web flow	eq	2.4.1
pivotal:spring_web_flow	pivotal spring web flow	eq	2.4.0
pivotal:spring_web_flow	pivotal spring web flow	eq	2.4.2