CVE-2017-4971

MEDIUM LAB

Pivotal Spring Web Flow <2.4.4 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-4971. PoCs published by cved-sources.

AI-analyzed exploit summary This repository is a stub for CVE-2017-4971, referencing a vulnerable Docker container setup for Spring Web Flow. It does not contain exploit code but points to external sources for further details.

Description

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

Exploits (1)

nomisec STUB
by cved-sources · poc
https://github.com/cved-sources/cve-2017-4971

This repository is a stub for CVE-2017-4971, referencing a vulnerable Docker container setup for Spring Web Flow. It does not contain exploit code but points to external sources for further details.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Spring Web Flow
No auth needed
Prerequisites: Docker environment · Access to referenced external repositories
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98785
Mitigation, Patch, Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2017-4971
Issue Tracking, Patch x_refsource_confirm
https://jira.spring.io/browse/SWF-1700

Scores

CVSS v3 5.9
EPSS 0.7536
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Lab Environment

COMMUNITY
Community Lab
docker pull tomcat:8-jre8

Details

CWE
CWE-1188
Status published
Products (6)
n/a/Spring Web Flow Spring Web Flow
org.springframework.webflow/spring-webflow 2.4.0 - 2.4.5Maven
pivotal/spring_web_flow 2.4.0
pivotal/spring_web_flow 2.4.1
pivotal/spring_web_flow 2.4.2
pivotal/spring_web_flow 2.4.4
Published Jun 13, 2017
Tracked Since Feb 18, 2026