Medium severity5.9NVD Advisory· Published Nov 27, 2017· Updated May 13, 2026

CVE-2017-8039

Description

An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.webflow:spring-webflowMaven	< 2.4.6	2.4.6

Affected products

Pivotal/Spring Web Flow5 versions
cpe:2.3:a:pivotal:spring_web_flow:2.4.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:pivotal:spring_web_flow:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal:spring_web_flow:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal:spring_web_flow:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal:spring_web_flow:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal:spring_web_flow:2.4.5:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/100849nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-q4v9-qjmw-j7vfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-8039ghsaADVISORY
pivotal.io/security/cve-2017-8039nvdIssue TrackingMitigationVendor AdvisoryWEB

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000