Spring Web Flow SPEL Command Injection

Strike ID:
E17-0f3v1
CVSS:
5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
False Positive:
f
Variants:
1
Year:
2017

Description

This strike exploits a remote command injection vulnerability in the Pivotal Spring Web Flow framework. The vulnerability exists due to insufficient validation of binding SPEL expression. The vulnerability can be exploited by sending a specially crafted HTTP request, allowing arbitrary command injection.

CVE

References

Bid