Insecure Defaults Affecting org.springframework.webflow:spring-webflow package, versions [,2.4.5.RELEASE)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    25.9% (97th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKWEBFLOW-31452
  • published 7 Jun 2017
  • disclosed 31 May 2016
  • credit Stefano Ciccone

Overview

org.springframework.webflow:spring-webflow facilitates building web applications that require guided navigation.

Affected versions of this package are vulnerable to Data Binding Expression Vulnerability due to setting the default value of the MvcViewFactoryCreator useSpringBinding property to false. If the application does not have a sub-element to declare explicit data binding property mappings, it can be vulnerable to malicious EL expressions in view states that process form submissions.

For more information on Insecure Defaults, go to our blog.

CVSS Scores

version 3.1
Expand this section

Snyk

5.9 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    High
  • Availability (A)
    None