Description
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected products
- Spring / Spring Web Flow4.0.0 – 4.0.0.1
- Spring / Spring Web Flow3.0.0 – 3.0.1.1
- Spring / Spring Web Flow2.5.0 – 2.5.2