CVE-2017-4971
published 2017-06-13CVE-2017-4971: An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding…
PriorityP339medium5.9CVSS 3.0
AVNACHPRNUINSUCNIHAN
EPSS
15.86%
96.5th percentile
An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pivotal | spring_web_flow | — | — |
| pivotal | spring_web_flow | — | — |
| pivotal | spring_web_flow | — | — |
| pivotal | spring_web_flow | — | — |
| pivotal | spring_web_flow | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/spring-projects/spring-webflow/commit/57f2ccb66946943fbf3b3f2165eac1c8eb6b1523↗
- →Vulnerable condition: MvcViewFactoryCreator useSpringBinding property is set to 'false' (the default), combined with view states that process form submissions without a sub-element declaring explicit data binding property mappings — this exposes the application to malicious EL expression injection. ↗
- →The patch for CVE-2017-4971 changes the expression parser in the affected code to a specific empty-expression parser; look for commits or code changes swapping the general expression parser for an empty-expression parser in Spring Web Flow view state handling. ↗
- ·CVE-2017-8039 represents a second exploitation path for the same root vulnerability (incomplete fix for CVE-2017-4971) affecting Spring Web Flow through 2.4.5; detections and mitigations should cover both CVEs. ↗
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa5.9MEDIUM
osv5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
osv·2022-05-13
CVE-2017-4971 [MEDIUM] Insecure Default Initialization of Resource in Pivotal Spring Web Flow
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
GHSA
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
ghsa·2022-05-13
CVE-2017-4971 [MEDIUM] CWE-1188 Insecure Default Initialization of Resource in Pivotal Spring Web Flow
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
OSV
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
osv·2022-05-13·CVSS 5.9
CVE-2017-8039 [MEDIUM] Insecure Default Initialization of Resource in Pivotal Spring Web Flow
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.
GHSA
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
ghsa·2022-05-13·CVSS 5.9
CVE-2017-8039 [MEDIUM] CWE-1188 Insecure Default Initialization of Resource in Pivotal Spring Web Flow
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.
Red Hat
spring-webflow: Data Binding Expression Vulnerability in Spring Web Flow
vendor_redhat·2017-09-15·CVSS 5.9
CVE-2017-8039 [MEDIUM] spring-webflow: Data Binding Expression Vulnerability in Spring Web Flow
spring-webflow: Data Binding Expression Vulnerability in Spring Web Flow
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.
Statement: This issue affects the versions of spring-webflow as shipped with Red Hat Enterprise Virtualization 3. Red Hat Product Security has rated this issue as having (Low|Moderate) security impact. A future update may address this issue. For additional informat
Red Hat
spring-webflow: Data Binding Expression Vulnerability
vendor_redhat·2017-05-31·CVSS 5.9
CVE-2017-4971 [MEDIUM] spring-webflow: Data Binding Expression Vulnerability
spring-webflow: Data Binding Expression Vulnerability
An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
Statement: This issue affects the versions of spring-webflow as shipped with Red Hat Enterprise Virtualization 3. Red Hat Product Security has rated this issue as having (Low|Moderate) security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-8039 spring-webflow: Data Binding Expression Vulnerability in Spring Web Flow
bugzilla·2017-09-22·CVSS 5.9
CVE-2017-8039 [MEDIUM] CVE-2017-8039 spring-webflow: Data Binding Expression Vulnerability in Spring Web Flow
CVE-2017-8039 spring-webflow: Data Binding Expression Vulnerability in Spring Web Flow
Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e. set to “false”) can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
This CVE addresses a second path to exploiting the same vulnerability as the one described under CVE-2017-4971.
External References:
https://pivotal.io/security/cve-2017-8039
Discussion:
Statement:
This issue affects the versions of spring-webflow as shipped with Red Hat Enterprise Virtualization 3. Red Hat Product Security has rated this issue as having (Low|Moderate) security impa
Bugzilla
CVE-2017-4971 spring-webflow: Data Binding Expression Vulnerability
bugzilla·2017-06-01·CVSS 5.9
CVE-2017-4971 [MEDIUM] CVE-2017-4971 spring-webflow: Data Binding Expression Vulnerability
CVE-2017-4971 spring-webflow: Data Binding Expression Vulnerability
Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e. set to “false”) can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
External References:
https://pivotal.io/security/cve-2017-4971
Discussion:
Statement:
This issue affects the versions of spring-webflow as shipped with Red Hat Enterprise Virtualization 3. Red Hat Product Security has rated this issue as having (Low|Moderate) security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.r
arXiv
CompVPD: Iteratively Identifying Vulnerability Patches Based on Human Validation Results with a Precise Context
arxiv_fulltext·2024-06-09
CompVPD: Iteratively Identifying Vulnerability Patches Based on Human Validation Results with a Precise Context
CompVPD: Iteratively Identifying Vulnerability Patches Based on Human Validation Results with a Precise Context
Tianyu Chen
[email protected]
Key Lab of HCST (PKU), MOE; SCS; Peking University
Beijing
China
Lin Li
[email protected]
Huawei Cloud Computing Technologies Co., Ltd.
Beijing
China
Taotao Qian
[email protected]
Huawei Cloud Computing Technologies Co., Ltd.
Beijing
China
Jingyi Liu
[email protected]
Huawei Cloud Computing Technologies Co., Ltd.
Beijing
China
Wei Yang
[email protected]
University of Texas at Dallas
Dallas
USA
Ding Li
[email protected]
Key Lab of HCST (PKU), MOE; SCS; Peking University
Beijing
China
Guangtai Liang
[email protected]
Huawei Cloud Computing Technologies Co., Ltd.
Beijing
China
Qianxiang Wang
[email protected]
arXiv
A ground-truth dataset of real security patches
arxiv_fulltext·2021-10-18·CVSS 5.9
[MEDIUM] A ground-truth dataset of real security patches
## Abstract
Training machine learning approaches for vulnerability
identification and producing reliable tools to assist
developers in implementing quality software---free of
vulnerabilities---is challenging due to the lack of
large datasets and real data. Researchers have been looking at
these issues and building datasets. However,
these datasets usually miss natural language artifacts and programming language
diversity. We scraped the entire CVE details database
for GitHub references and augmented the data with 3 security-related datasets.
We used the data to create a ground-truth dataset of
natural language artifacts (such as commit messages,
commits comments, and summaries), meta-data and code changes. Our dataset
integrates a total of 8057 security-relevant commits---the equivalent t
2017-06-13
Published