7.5

CVE-2011-2730

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

Data is provided by the National Vulnerability Database (NVD)
SpringsourceSpring Framework Version <= 2.5.7_sr01
SpringsourceSpring Framework Version <= 3.0.5
SpringsourceSpring Framework Version2.5.0
SpringsourceSpring Framework Version2.5.0 Updaterc1
SpringsourceSpring Framework Version2.5.0 Updaterc2
SpringsourceSpring Framework Version2.5.1
SpringsourceSpring Framework Version2.5.2
SpringsourceSpring Framework Version2.5.3
SpringsourceSpring Framework Version2.5.4
SpringsourceSpring Framework Version2.5.5
SpringsourceSpring Framework Version2.5.6
SpringsourceSpring Framework Version2.5.7
SpringsourceSpring Framework Version3.0.0
SpringsourceSpring Framework Version3.0.1
SpringsourceSpring Framework Version3.0.2
SpringsourceSpring Framework Version3.0.3
SpringsourceSpring Framework Version3.0.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 53.57% 0.979
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P