CVE-2011-2730

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit
http://www.debian.org/security/2012/dsa-2504
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814
http://support.springsource.com/security/cve-2011-2730	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0194.html
http://secunia.com/advisories/51984
http://rhn.redhat.com/errata/RHSA-2013-0195.html
http://secunia.com/advisories/52054
http://rhn.redhat.com/errata/RHSA-2013-0198.html
http://rhn.redhat.com/errata/RHSA-2013-0197.html
http://rhn.redhat.com/errata/RHSA-2013-0191.html
http://rhn.redhat.com/errata/RHSA-2013-0196.html
http://rhn.redhat.com/errata/RHSA-2013-0221.html
http://rhn.redhat.com/errata/RHSA-2013-0193.html
http://rhn.redhat.com/errata/RHSA-2013-0192.html
http://secunia.com/advisories/55155
http://www.securitytracker.com/id/1029151
http://rhn.redhat.com/errata/RHSA-2013-0533.html
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:springsource:spring_framework:2.5.0:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.5:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.6:::::::*
	cpe:2.3:a:springsource:spring_framework:3.0.4:::::::*
	cpe:2.3:a:springsource:spring_framework::::::::
	cpe:2.3:a:springsource:spring_framework:2.5.3:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.4:::::::*
	cpe:2.3:a:springsource:spring_framework:3.0.2:::::::*
	cpe:2.3:a:springsource:spring_framework:3.0.3:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.1:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.2:::::::*
	cpe:2.3:a:springsource:spring_framework:3.0.1:::::::*
	cpe:2.3:a:springsource:spring_framework::::::::
	cpe:2.3:a:springsource:spring_framework:2.5.0:rc1::::::
	cpe:2.3:a:springsource:spring_framework:2.5.0:rc2::::::
	cpe:2.3:a:springsource:spring_framework:2.5.7:::::::*
	cpe:2.3:a:springsource:spring_framework:3.0.0:::::::*

Information

Published : 2012-12-05 09:55

Updated : 2017-08-08 18:29

NVD link : CVE-2011-2730

Mitre link : CVE-2011-2730

JSON object : View

CWE

CWE-16

Configuration

Products Affected

springsource

spring_framework

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit", "name": "https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit", "tags": [], "refsource": "MISC"}, {"url": "http://www.debian.org/security/2012/dsa-2504", "name": "DSA-2504", "tags": [], "refsource": "DEBIAN"}, {"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814", "name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814", "tags": [], "refsource": "MISC"}, {"url": "http://support.springsource.com/security/cve-2011-2730", "name": "http://support.springsource.com/security/cve-2011-2730", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html", "name": "RHSA-2013:0194", "tags": [], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/51984", "name": "51984", "tags": [], "refsource": "SECUNIA"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html", "name": "RHSA-2013:0195", "tags": [], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/52054", "name": "52054", "tags": [], "refsource": "SECUNIA"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html", "name": "RHSA-2013:0198", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html", "name": "RHSA-2013:0197", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html", "name": "RHSA-2013:0191", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html", "name": "RHSA-2013:0196", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html", "name": "RHSA-2013:0221", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html", "name": "RHSA-2013:0193", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html", "name": "RHSA-2013:0192", "tags": [], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/55155", "name": "55155", "tags": [], "refsource": "SECUNIA"}, {"url": "http://www.securitytracker.com/id/1029151", "name": "1029151", "tags": [], "refsource": "SECTRACK"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html", "name": "RHSA-2013:0533", "tags": [], "refsource": "REDHAT"}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", "tags": [], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka \"Expression Language Injection.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-16"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2011-2730", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2012-12-05T17:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "3.0.5"}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "2.5.7_sr01"}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.0:rc1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.0:rc2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-09T01:29Z"}

7.5 /10