{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39181?format=json","vulnerability_id":"VCID-typx-8qp2-y3ec","summary":"Insecure Default Initialization of Resource\nApplications that do not change the value of the `MvcViewFactoryCreator` `useSpringBinding` property which is disabled by default can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.","aliases":[{"alias":"CVE-2017-8039"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54736?format=json","purl":"pkg:maven/org.springframework.webflow/spring-webflow@2.4.6.RELEASE","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.webflow/spring-webflow@2.4.6.RELEASE"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53695?format=json","purl":"pkg:maven/org.springframework.webflow/spring-webflow@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-118m-ekmk-wbgc"},{"vulnerability":"VCID-typx-8qp2-y3ec"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.webflow/spring-webflow@2.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/53696?format=json","purl":"pkg:maven/org.springframework.webflow/spring-webflow@2.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-118m-ekmk-wbgc"},{"vulnerability":"VCID-typx-8qp2-y3ec"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.webflow/spring-webflow@2.4.2"},{"url":"http://public2.vulnerablecode.io/api/packages/53697?format=json","purl":"pkg:maven/org.springframework.webflow/spring-webflow@2.4.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-118m-ekmk-wbgc"},{"vulnerability":"VCID-typx-8qp2-y3ec"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.webflow/spring-webflow@2.4.4"},{"url":"http://public2.vulnerablecode.io/api/packages/54735?format=json","purl":"pkg:maven/org.springframework.webflow/spring-webflow@2.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-typx-8qp2-y3ec"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.webflow/spring-webflow@2.4.5"}],"references":[{"reference_url":"http://www.securityfocus.com/bid/100849","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/100849"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-8039","reference_id":"CVE-2017-8039","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-8039"},{"reference_url":"https://pivotal.io/security/cve-2017-8039","reference_id":"CVE-2017-8039","reference_type":"","scores":[],"url":"https://pivotal.io/security/cve-2017-8039"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":1188,"name":"Initialization of a Resource with an Insecure Default","description":"The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-typx-8qp2-y3ec"}