Skip to content

Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework

High severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Feb 27, 2024

Package

maven org.springframework:spring-core (Maven)

Affected versions

>= 3.0.0, < 3.0.6
<= 2.5.6.SEC02
>= 2.5.7.SR0, <= 2.5.7.SR022

Patched versions

3.0.6
2.5.6.SEC03
2.5.7.SR023

Description

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

References

Published by the National Vulnerability Database Dec 5, 2012
Published to the GitHub Advisory Database May 17, 2022
Reviewed Jul 13, 2022
Last updated Feb 27, 2024

Severity

High

EPSS score

2.298%
(89th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2011-2730

GHSA ID

GHSA-wv88-pf73-x22p

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.