org.springframework.webflow:spring-webflow 2.4.5.RELEASE

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.webflow:spring-webflow package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') org.springframework.webflow:spring-webflow is a maven plugin for Spring Web Flow. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') via the `WebFlowELExpressionParser` function. An attacker can execute arbitrary Unified EL expressions by supplying crafted input during data binding. Note: This is only exploitable if the following conditions are met: The application explicitly configures the `WebFlowELExpressionParser` or its base class "ELExpressionParser". The `useSpringBinding` configuration property has not been set to true. View states do not use the `<binding>` element on a view state to declare the properties to bind. How to fix Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')? Upgrade `org.springframework.webflow:spring-webflow` to version 3.0.2, 4.0.1 or higher.	[,3.0.2)[4.0.0-RC1,4.0.1)
M Insecure Defaults `org.springframework.webflow:spring-webflow` facilitates building web applications that require guided navigation. Affected versions of this package are vulnerable to Insecure defaults due to an incomplete fix for CVE-2017-4971. An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the `MvcViewFactoryCreator` `useSpringBinding` property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. For more information on Insecure Defaults, go to our blog.	[,2.4.6.RELEASE)

Vulnerability

Vulnerable Version

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

org.springframework.webflow:spring-webflow is a maven plugin for Spring Web Flow.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') via the WebFlowELExpressionParser function. An attacker can execute arbitrary Unified EL expressions by supplying crafted input during data binding.

Note:

This is only exploitable if the following conditions are met:

The application explicitly configures the WebFlowELExpressionParser or its base class "ELExpressionParser".
The useSpringBinding configuration property has not been set to true.
View states do not use the <binding> element on a view state to declare the properties to bind.

How to fix Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')?

Upgrade org.springframework.webflow:spring-webflow to version 3.0.2, 4.0.1 or higher.

[,3.0.2)[4.0.0-RC1,4.0.1)

Insecure Defaults

org.springframework.webflow:spring-webflow facilitates building web applications that require guided navigation.

Affected versions of this package are vulnerable to Insecure defaults due to an incomplete fix for CVE-2017-4971.

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

For more information on Insecure Defaults, go to our blog.

[,2.4.6.RELEASE)

org.springframework.webflow:spring-webflow@2.4.5.RELEASE

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically