5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-8039

GHSA ID

GHSA-q4v9-qjmw-j7vf

EPSS Score

0.40532%

CWE

CWE-1188

Published

5/13/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-8039

CVE-2017-8039: Insecure Default Initialization of Resource in Pivotal Spring Web Flow

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.

(GitHub Advisory)

5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-8039

GHSA ID

GHSA-q4v9-qjmw-j7vf

EPSS Score

0.40532%

CWE

CWE-1188

Published

5/13/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework.webflow:spring-webflow	maven	<= 2.4.5	2.4.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from MvcViewFactoryCreator's default configuration where useSpringBinding=false. The createViewFactory() method is directly responsible for view factory creation and data binding configuration. The Pivotal advisory explicitly links this class/property to the vulnerability and notes the incomplete CVE-2017-4971 fix was completed in these methods. During exploitation, this function would appear in profilers as it handles view state processing with insecure data binding.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Pivot*l Sprin* W** *low t*rou** *.*.*. *ppli**tions t**t *o not ***n** t** v*lu* o* t** Mv*Vi*w***tory*r**tor us*Sprin**in*in* prop*rty w*i** is *is**l** *y ****ult (i.*., s*t to '**ls*') **n ** vuln*r**l* to m*li*ious *L *

Reasoning

T** vuln*r**ility st*ms *rom `Mv*Vi*w***tory*r**tor`'s ****ult *on*i*ur*tion w**r* us*Sprin**in*in*=**ls*. T** `*r**t*Vi*w***tory()` m*t*o* is *ir**tly r*sponsi*l* *or vi*w ***tory *r**tion *n* **t* *in*in* *on*i*ur*tion. T** Pivot*l **visory *xpli*i

5.9

Basic Information

Concerned about an active attack path?

CVE-2017-8039: Insecure Default Initialization of Resource in Pivotal Spring Web Flow

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI