org.springframework.webflow:spring-webflow 2.4.1.RELEASE vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.webflow:spring-webflow package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Insecure Defaults `org.springframework.webflow:spring-webflow` facilitates building web applications that require guided navigation. Affected versions of this package are vulnerable to Insecure defaults due to an incomplete fix for CVE-2017-4971. An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the `MvcViewFactoryCreator` `useSpringBinding` property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. For more information on Insecure Defaults, go to our blog.	[,2.4.6.RELEASE)
M Insecure Defaults `org.springframework.webflow:spring-webflow` facilitates building web applications that require guided navigation. Affected versions of this package are vulnerable to Data Binding Expression Vulnerability due to setting the default value of the `MvcViewFactoryCreator useSpringBinding` property to `false`. If the application does not have a sub-element to declare explicit data binding property mappings, it can be vulnerable to malicious EL expressions in view states that process form submissions. For more information on Insecure Defaults, go to our blog.	[,2.4.5.RELEASE)

Vulnerability

Vulnerable Version

Insecure Defaults

org.springframework.webflow:spring-webflow facilitates building web applications that require guided navigation.

Affected versions of this package are vulnerable to Insecure defaults due to an incomplete fix for CVE-2017-4971.

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

For more information on Insecure Defaults, go to our blog.

[,2.4.6.RELEASE)

Insecure Defaults

org.springframework.webflow:spring-webflow facilitates building web applications that require guided navigation.

Affected versions of this package are vulnerable to Data Binding Expression Vulnerability due to setting the default value of the MvcViewFactoryCreator useSpringBinding property to false. If the application does not have a sub-element to declare explicit data binding property mappings, it can be vulnerable to malicious EL expressions in view states that process form submissions.

For more information on Insecure Defaults, go to our blog.

[,2.4.5.RELEASE)

org.springframework.webflow:spring-webflow@2.4.1.RELEASE vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?