Vulnerabilities > CVE-2017-8039 - Insecure Default Initialization of Resource vulnerability in Pivotal Spring web Flow

CVSS 5.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

high complexity

pivotal

CWE-1188

NVD

Published: 2017-11-27

Updated: 2019-10-03

Summary

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.

Vulnerable Configurations

Part	Description	Count
Application	Pivotal Pivotal Spring WEB Flow 2.4.4 Pivotal Spring WEB Flow 2.4.1 Pivotal Spring WEB Flow 2.4.0 Pivotal Spring WEB Flow 2.4.2 Pivotal Spring WEB Flow 2.4.5	5

Common Weakness Enumeration (CWE)

CWE-1188 - Insecure Default Initialization of Resource

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References