CVE-2017-4971

MEDIUM5.9EPSS 75.4%

Insecure Default Initialization of Resource in Pivotal Spring Web Flow

發布日:2022/5/13修改日:2023/11/8

描述

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

受影響套件(1)

Maven/org.springframework.webflow:spring-webflow>= 2.4.0, < 2.4.5

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-4971
WEBhttps://jira.spring.io/browse/SWF-1700
WEBhttps://pivotal.io/security/cve-2017-4971
WEBhttp://www.securityfocus.com/bid/98785