Data Binding Expression Vulnerability in Spring Web Flow

Description
  • Spring Web Flow is a special sub-component of Spring. Spring Web Flow builds on Spring MVC and allows implementing the flows of a web application.

    Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e. set to "false") can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
Remediation
  • Upgrade to the latest version of Spring Web Flow.
References