Home > Vulnerability Database > CVE-2017-8039

Mend.io Vulnerability Database

CVE-2017-8039

Good to know:

Date: November 27, 2017

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.

Language: Java

Severity Score

5.9

Related Resources (5)

Url: https://pivotal.io/security/cve-2017-8039

Url: http://www.securityfocus.com/bid/100849

Url: https://nvd.nist.gov/vuln/detail/CVE-2017-8039

Url: https://www.mend.io/resources/blog/top-5-open-source-security-vulnerabilities-in-december

Url: https://www.mend.io/vulnerability-database/CVE-2017-8039

Severity Score

5.9

Weakness Type (CWE)

Security Features

CWE-254

Insecure Default Initialization of Resource

CWE-1188

Top Fix

Upgrade Version

Upgrade to version 2.4.6.RELEASE

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2017-8039

Good to know:

Date: November 27, 2017

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?