What is CVE-2017-4971?

CVE-2017-4971 is a medium-severity vulnerability in Pivotal Spring_web_flow, classified under Initialization of a Resource with an Insecure Default. CVSS score: 5.9/10. Published 2017-06-13.

How severe is CVE-2017-4971?

Medium severity. CVSS v3 base score is 5.9 out of 10.

Is CVE-2017-4971 known to be exploited?

30 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Pivotal Spring_web_flow

CVE-2017-4971

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to mal…

EPSS: 0.754 (98.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N.

Affected products

Pivotal Spring_web_flow — versions 2.4.0, 2.4.1, 2.4.2
N/a Spring Web Flow — versions Spring Web Flow

Weakness classification (CWE)

CWE-1188 — Initialization of a Resource with an Insecure Default

Public proof-of-concept exploits

References

security_alert@emc.com (VDB Entry, Third Party Advisory, vdb-entry, x_refsource_BID)
security_alert@emc.com (x_refsource_CONFIRM, Patch, Mitigation, Vendor Advisory)
security_alert@emc.com (x_refsource_CONFIRM, Patch, Issue Tracking)

Frequently asked questions

What is CVE-2017-4971?: CVE-2017-4971 is a medium-severity vulnerability in Pivotal Spring_web_flow, classified under Initialization of a Resource with an Insecure Default. CVSS score: 5.9/10. Published 2017-06-13.
How severe is CVE-2017-4971?: Medium severity. CVSS v3 base score is 5.9 out of 10.
Is CVE-2017-4971 known to be exploited?: 30 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.