5.9

CVE-2017-4971

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PivotalSpring Web Flow Version2.4.0
PivotalSpring Web Flow Version2.4.1
PivotalSpring Web Flow Version2.4.2
PivotalSpring Web Flow Version2.4.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 15.86% 0.965
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

http://www.securityfocus.com/bid/98785
Third Party Advisory
VDB Entry
https://jira.spring.io/browse/SWF-1700
Patch
Issue Tracking
https://pivotal.io/security/cve-2017-4971
Patch
Vendor Advisory
Mitigation