CVE-2017-8039
published 2017-11-27CVE-2017-8039: An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding…
PriorityP427medium5.9CVSS 3.0
AVNACHPRNUINSUCNIHAN
EPSS
0.96%
57.2th percentile
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pivotal | spring_web_flow | — | — |
| pivotal | spring_web_flow | — | — |
| pivotal | spring_web_flow | — | — |
| pivotal | spring_web_flow | — | — |
| pivotal | spring_web_flow | — | — |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa5.9MEDIUM
osv5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
osv·2022-05-13·CVSS 5.9
CVE-2017-8039 [MEDIUM] Insecure Default Initialization of Resource in Pivotal Spring Web Flow
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.
GHSA
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
ghsa·2022-05-13·CVSS 5.9
CVE-2017-8039 [MEDIUM] CWE-1188 Insecure Default Initialization of Resource in Pivotal Spring Web Flow
Insecure Default Initialization of Resource in Pivotal Spring Web Flow
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.
Red Hat
spring-webflow: Data Binding Expression Vulnerability in Spring Web Flow
vendor_redhat·2017-09-15·CVSS 5.9
CVE-2017-8039 [MEDIUM] spring-webflow: Data Binding Expression Vulnerability in Spring Web Flow
spring-webflow: Data Binding Expression Vulnerability in Spring Web Flow
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.
Statement: This issue affects the versions of spring-webflow as shipped with Red Hat Enterprise Virtualization 3. Red Hat Product Security has rated this issue as having (Low|Moderate) security impact. A future update may address this issue. For additional informat
No detection rules found.
No public exploits indexed.
2017-11-27
Published