CVE-2011-2730
published 2012-12-05CVE-2011-2730: VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL…
PriorityP341high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
11.78%
95.6th percentile
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| springsource | spring_framework | <= 2.5.7_sr01 | — |
| springsource | spring_framework | <= 3.0.5 | — |
| springsource | spring_framework | — | — |
| springsource | spring_framework | — | — |
| springsource | spring_framework | — | — |
| springsource | spring_framework | — | — |
| springsource | spring_framework | — | — |
| springsource | spring_framework | — | — |
| springsource | spring_framework | — | — |
| springsource | spring_framework | — | — |
| springsource | spring_framework | — | — |
| springsource | spring_framework | — | — |
| springsource | spring_framework | — | — |
| springsource | spring_framework | — | — |
| springsource | spring_framework | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework
ghsa·2022-05-17
CVE-2011-2730 [HIGH] Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework
Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
OSV
Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework
osv·2022-05-17
CVE-2011-2730 [HIGH] Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework
Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Red Hat
Framework: Information (internal server information, classpath, local working directories, session IDs) disclosure
vendor_redhat·2011-09-09·CVSS 7.5
CVE-2011-2730 [HIGH] Framework: Information (internal server information, classpath, local working directories, session IDs) disclosure
Framework: Information (internal server information, classpath, local working directories, session IDs) disclosure
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Statement: This flaw was originally reported as resulting in i
No detection rules found.
No public exploits indexed.
Bugzilla
Spring Framework: Remote code execution with Expression Language injection
bugzilla·2013-01-18·CVSS 7.5
[HIGH] Spring Framework: Remote code execution with Expression Language injection
Spring Framework: Remote code execution with Expression Language injection
It was found that in certain circumstances, Spring framework evaluated Expression Language (EL) expressions twice: once by the container, and once by the tag. A remote attacker could use this flaw to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server, via a specially-crafted HTTP request.
References:
[1] http://www.networkworld.com/news/2013/011713-java-spring-framework-265923.html
[2] http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/
Discussion:
SpringSource security team has confirmed that this is NOT a new security flaw (other than original CVE-2011-2730 issue), but rather just a new exploit
Bugzilla
CVE-2011-2730 Spring Framework: Information (internal server information, classpath, local working directories, session IDs) disclosure
bugzilla·2011-09-12·CVSS 7.5
CVE-2011-2730 [HIGH] CVE-2011-2730 Spring Framework: Information (internal server information, classpath, local working directories, session IDs) disclosure
CVE-2011-2730 Spring Framework: Information (internal server information, classpath, local working directories, session IDs) disclosure
It was found that in certain circumstances, Spring framework evaluated Expression Language (EL) expressions twice: once by the container, and once by the tag. A remote attacker could use this flaw to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server, via a specially-crafted HTTP request.
References:
[1] http://www.securityfocus.com/archive/1/519586/30/0/threaded
[2] http://bit.ly/ExpressionLanguageInjection
[3] http://www.springsource.com/security/cve-2011-2730
Discussion:
Sample PoC (from [1]):
Example:
A request of the form:
http:///vulnerable.com/foo?message=${applicationScope}
to
arXiv
Does the Vulnerability Threaten Our Projects? Automated Vulnerable API Detection for Third-Party Libraries
arxiv_fulltext·2024-09-04
Does the Vulnerability Threaten Our Projects? Automated Vulnerable API Detection for Third-Party Libraries
Does the Vulnerability Threaten Our Projects? Automated Vulnerable API Detection for Third-Party Libraries
Fangyuan Zhang,
Lingling Fan*,
Sen Chen,
Miaoying Cai,
Sihan Xu,
and Lida Zhao
Fangyuan Zhang and Miaoying Cai are with DISSec, NDST, College of Computer Science, Nankai University, China. Emails: \fangyuanzhang, miaoyingcai\@mail.nankai.edu.cn.
Lingling Fan (Corresponding author) and Sihan Xu are with DISSec, NDST, College of Cyber Science, Nankai University, China. Emails: \linglingfan, xusihan\@nankai.edu.cn.
Sen Chen is with the College of Intelligence and Computing, Tianjin University, China. Email: [email protected].
Lida Zhao is with School of Computer Science and Engineering, Nanyang Technological University. Email: [email protected].
Journal of \ Class Files, Vol. XX,
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814http://rhn.redhat.com/errata/RHSA-2013-0191.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0192.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0193.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0194.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0195.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0196.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0197.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0198.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0221.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0533.htmlhttp://secunia.com/advisories/51984http://secunia.com/advisories/52054http://secunia.com/advisories/55155http://support.springsource.com/security/cve-2011-2730http://www.debian.org/security/2012/dsa-2504http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.securitytracker.com/id/1029151https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edithttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814http://rhn.redhat.com/errata/RHSA-2013-0191.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0192.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0193.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0194.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0195.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0196.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0197.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0198.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0221.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0533.htmlhttp://secunia.com/advisories/51984http://secunia.com/advisories/52054http://secunia.com/advisories/55155http://support.springsource.com/security/cve-2011-2730http://www.debian.org/security/2012/dsa-2504http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.securitytracker.com/id/1029151https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit
2012-12-05
Published