Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework
High severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Feb 27, 2024
Package
Affected versions
>= 3.0.0, < 3.0.6
<= 2.5.6.SEC02
>= 2.5.7.SR0, <= 2.5.7.SR022
Patched versions
3.0.6
2.5.6.SEC03
2.5.7.SR023
Description
Published by the National Vulnerability Database
Dec 5, 2012
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
Jul 13, 2022
Last updated
Feb 27, 2024
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
References