CVE-2017-8039

MEDIUM5.9EPSS 0.18%

Insecure Default Initialization of Resource in Pivotal Spring Web Flow

發布日:2022/5/13修改日:2023/11/8

描述

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.

受影響套件(1)

Maven/org.springframework.webflow:spring-webflowfrom 0, < 2.4.6

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-8039
WEBhttps://pivotal.io/security/cve-2017-8039
WEBhttp://www.securityfocus.com/bid/100849