VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-4cs8-eeu5-nkdd

Essentials
Severities (18)
References (24)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-4cs8-eeu5-nkdd
Aliases	CVE-2011-2730 GHSA-wv88-pf73-x22p
Summary	Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-16	Configuration
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	HIGH	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-0191.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-0192.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-0194.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-0195.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-0196.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-0198.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-0221.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-0533.html
epss	0.46306	https://api.first.org/data/v1/epss?cve=CVE-2011-2730
generic_textual	HIGH	https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit
generic_textual	HIGH	https://github.com/spring-projects/spring-framework
generic_textual	HIGH	https://github.com/spring-projects/spring-framework/commit/62ccc8dd7e645fb91705d44919abac838cb5ca3f
generic_textual	HIGH	https://github.com/spring-projects/spring-framework/commit/9772eb8410e37cd0bdec0d1b133218446c778beb
generic_textual	HIGH	https://github.com/spring-projects/spring-framework/commit/b8d86330d1fadc645630416c3aaebf131bf749fc
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2011-2730
generic_textual	HIGH	http://www.debian.org/security/2012/dsa-2504
generic_textual	HIGH	http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Reference id	Reference type	URL
		http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814
		http://rhn.redhat.com/errata/RHSA-2013-0191.html
		http://rhn.redhat.com/errata/RHSA-2013-0192.html
		http://rhn.redhat.com/errata/RHSA-2013-0194.html
		http://rhn.redhat.com/errata/RHSA-2013-0195.html
		http://rhn.redhat.com/errata/RHSA-2013-0196.html
		http://rhn.redhat.com/errata/RHSA-2013-0198.html
		http://rhn.redhat.com/errata/RHSA-2013-0221.html
		http://rhn.redhat.com/errata/RHSA-2013-0533.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2730.json
		https://api.first.org/data/v1/epss?cve=CVE-2011-2730
		https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit
		https://github.com/spring-projects/spring-framework
		https://github.com/spring-projects/spring-framework/commit/62ccc8dd7e645fb91705d44919abac838cb5ca3f
		https://github.com/spring-projects/spring-framework/commit/9772eb8410e37cd0bdec0d1b133218446c778beb
		https://github.com/spring-projects/spring-framework/commit/b8d86330d1fadc645630416c3aaebf131bf749fc
		https://github.com/spring-projects/spring-framework/commit/c8649087792d07df209fc75e0f9e2e3284e09fe
		https://github.com/spring-projects/spring-framework/commit/d95cbe23ee462245c5c2482e175f7b2a921b31c
		https://nvd.nist.gov/vuln/detail/CVE-2011-2730
		https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2730
		http://www.debian.org/security/2012/dsa-2504
		http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
737608		https://bugzilla.redhat.com/show_bug.cgi?id=737608
CVE-2011-2730		http://support.springsource.com/security/cve-2011-2730

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.97703
EPSS Score	0.46306
Published At	May 29, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-29T09:35:36.565050+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wv88-pf73-x22p/GHSA-wv88-pf73-x22p.json	38.6.0