Description
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.
References (2)
Core 2
Core References
Issue Tracking, Mitigation, Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2017-8039
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100849
Scores
CVSS v3
5.9
EPSS
0.0096
EPSS Percentile
56.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-1188
Status
published
Products (7)
n/a/Spring Web Flow Spring Web Flow 2.4.0 to 2.4.5 and Older unsupported versions are also affected
Spring Web Flow Spring Web Flow 2.4.0 to 2.4.5 and Older unsupported versions are also affected
org.springframework.webflow/spring-webflow
0 - 2.4.6Maven
pivotal/spring_web_flow
2.4.0
pivotal/spring_web_flow
2.4.1
pivotal/spring_web_flow
2.4.2
pivotal/spring_web_flow
2.4.4
pivotal/spring_web_flow
2.4.5
Published
Nov 27, 2017
Tracked Since
Feb 18, 2026