CVE-2017-8039

NONE EPSS 57.3%
Published Nov 27, 20178y ago · Modified Jun 17, 20262w ago
Find Similar
Published Nov 27, 2017 8y ago
Last Modified Jun 17, 2026 2w ago

Description

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.

Threat Intelligence

EPSS Exploit Probability
57.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-1188

Affected Products 5

VendorProductVersionRange
pivotalspring_web_flow2.4.0any
pivotalspring_web_flow2.4.1any
pivotalspring_web_flow2.4.2any
pivotalspring_web_flow2.4.4any
pivotalspring_web_flow2.4.5any

References 2

  • securityfocus.com http://www.securityfocus.com/bid/100849
    Third Party AdvisoryVDB Entry
  • pivotal.io https://pivotal.io/security/cve-2017-8039
    Issue TrackingMitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.