cbcvebase.
CVE-2017-4971
published 2017-06-13

CVE-2017-4971: An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding…

PriorityP339medium5.9CVSS 3.0
AVNACHPRNUINSUCNIHAN
EPSS
15.86%
96.5th percentile
An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

Affected

5 ranges
VendorProductVersion rangeFixed in
pivotalspring_web_flow
pivotalspring_web_flow
pivotalspring_web_flow
pivotalspring_web_flow
pivotalspring_web_flow

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/spring-projects/spring-webflow/commit/57f2ccb66946943fbf3b3f2165eac1c8eb6b1523
  • Vulnerable condition: MvcViewFactoryCreator useSpringBinding property is set to 'false' (the default), combined with view states that process form submissions without a sub-element declaring explicit data binding property mappings — this exposes the application to malicious EL expression injection.
  • The patch for CVE-2017-4971 changes the expression parser in the affected code to a specific empty-expression parser; look for commits or code changes swapping the general expression parser for an empty-expression parser in Spring Web Flow view state handling.
  • ·CVE-2017-8039 represents a second exploitation path for the same root vulnerability (incomplete fix for CVE-2017-4971) affecting Spring Web Flow through 2.4.5; detections and mitigations should cover both CVEs.

CVSS provenance

nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa5.9MEDIUM
osv5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.