CVE-2017-8039: Insecure Default Initialization of Resource

November 27, 2017 (updated October 3, 2019)

Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

References

www.securityfocus.com/bid/100849
nvd.nist.gov/vuln/detail/CVE-2017-8039
pivotal.io/security/cve-2017-8039

Code Behaviors & Features

Detect and mitigate CVE-2017-8039 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →