RHEL 7 : spring-webflow (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - spring-webflow: Data Binding Expression Vulnerability in Spring Web Flow CVE-2017-8039 - An issue was...

Spring Web Flow 3.0 M1 Released

It has been almost 4 years since the last set of Spring Web Flow releases. Nevertheless, the project continues to serve a specific need particularly well, arguably better than alternatives, and remains in active use. While there hasnt been a strong driver for new releases, the upcoming Spring...

Insecure Default Initialization of Resource in Pivotal Spring Web Flow

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e., set to 'false' can be vulnerable to malicious EL expressions in view states that process form...

GHSA-FG9W-CFFM-PMH2 Insecure Default Initialization of Resource in Pivotal Spring Web Flow

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e., set to 'false' can be vulnerable to malicious EL expressions in view states that process form...

Spring Web Flow SPEL Command Injection (CVE-2017-4971) - Ver2

A command injection vulnerability exists in Spring Web. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system...

CVE-2017-8039

Pivotal Spring Web Flow up to version 2.4.5 is affected when applications do not change MvcViewFactoryCreator.useSpringBinding (default false); this can allow malicious EL expressions in view states that process form submissions lacking explicit data binding property mappings. The issue stems fro...

CVE-2017-4971

CVE-2017-4971 affects Pivotal Spring Web Flow up to 2.4.4/2.4.5. The issue arises when MvcViewFactoryCreator.useSpringBinding is left at its default false, allowing malicious EL expressions in view states during form submissions to be processed without explicit data binding mappings. This is tied...

Pivotal Spring Web Flow Remote Code Execution Vulnerability

Pivotal Spring Web Flow is a web application from Pivotal Software, Inc. that provides navigation for check-in, loan application or shopping cart checkout. A remote code execution vulnerability exists in Pivotal Spring Web Flow versions 2.4.0 through 2.4.4. The vulnerability is caused due to a...

Data Binding Expression Vulnerability

Spring Web Flow is vulnerable to a data binding expression vulnerability. The vulnerability is possible because the MvcViewFactoryCreator useSpringBinding property is set to false by default. Therefore, the applications which use the default settings are vulnerable to malicious EL expressions in...