CVE-2011-2730: EL expressions double evaluation

December 5, 2012 (updated August 8, 2017)

When a container supports Expression Language (EL), this package evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a name attribute in a spring:hasBindErrors tag; path attribute in a spring:bind or spring:nestedpath tag; arguments, code, text, var, scope, or message attribute in a spring:message or spring:theme tag; or var, scope, or value attribute in a spring:transform tag, aka Expression Language Injection.

References

support.springsource.com/security/cve-2011-2730
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2730

Code Behaviors & Features

Detect and mitigate CVE-2011-2730 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →