7.5
CVE-2011-2730
- EPSS 53.57%
- Published 05.12.2012 17:55:01
- Last modified 11.04.2025 00:51:21
- Source secalert@redhat.com
- Teams watchlist Login
- Open Login
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Data is provided by the National Vulnerability Database (NVD)
Springsource ≫ Spring Framework Version <= 2.5.7_sr01
Springsource ≫ Spring Framework Version <= 3.0.5
Springsource ≫ Spring Framework Version2.5.0
Springsource ≫ Spring Framework Version2.5.0 Updaterc1
Springsource ≫ Spring Framework Version2.5.0 Updaterc2
Springsource ≫ Spring Framework Version2.5.1
Springsource ≫ Spring Framework Version2.5.2
Springsource ≫ Spring Framework Version2.5.3
Springsource ≫ Spring Framework Version2.5.4
Springsource ≫ Spring Framework Version2.5.5
Springsource ≫ Spring Framework Version2.5.6
Springsource ≫ Spring Framework Version2.5.7
Springsource ≫ Spring Framework Version3.0.0
Springsource ≫ Spring Framework Version3.0.1
Springsource ≫ Spring Framework Version3.0.2
Springsource ≫ Spring Framework Version3.0.3
Springsource ≫ Spring Framework Version3.0.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
Type | Source | Score | Percentile |
---|---|---|---|
EPSS | FIRST.org | 53.57% | 0.979 |
Source | Base Score | Exploit Score | Impact Score | Vector string |
---|---|---|---|---|
nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|