Medium severity5.9NVD Advisory· Published Jun 13, 2017· Updated May 13, 2026

CVE-2017-4971

Description

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.webflow:spring-webflowMaven	>= 2.4.0, < 2.4.5	2.4.5

Affected products

Pivotal/Spring Web Flow4 versions
cpe:2.3:a:pivotal:spring_web_flow:2.4.0:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:pivotal:spring_web_flow:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal:spring_web_flow:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal:spring_web_flow:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal:spring_web_flow:2.4.4:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

jira.spring.io/browse/SWF-1700nvdIssue TrackingPatchWEB
pivotal.io/security/cve-2017-4971nvdMitigationPatchVendor AdvisoryWEB
www.securityfocus.com/bid/98785nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-fg9w-cffm-pmh2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-4971ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.060
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000