Insecure Defaults Affecting org.springframework.webflow:spring-webflow package, versions [,2.4.5.RELEASE)
Threat Intelligence
EPSS
25.9% (97th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKWEBFLOW-31452
- published 7 Jun 2017
- disclosed 31 May 2016
- credit Stefano Ciccone
Introduced: 31 May 2016
CVE-2017-4971 Open this link in a new tabOverview
org.springframework.webflow:spring-webflow facilitates building web applications that require guided navigation.
Affected versions of this package are vulnerable to Data Binding Expression Vulnerability due to setting the default value of the MvcViewFactoryCreator useSpringBinding property to false. If the application does not have a sub-element to declare explicit data binding property mappings, it can be vulnerable to malicious EL expressions in view states that process form submissions.
For more information on Insecure Defaults, go to our blog.
References
CVSS Scores
version 3.1