CVE-2011-2730
high
CVSS v3
—
CVSS v2
7.5
VIR risk
7.5
Description
Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — http://support.springsource.com/security/cve-2011-2730
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.springframework:spring-core | >=3.0.0,<3.0.6 | 3.0.6 |
| Maven | org.springframework:spring-core | <2.5.6.SEC03 | 2.5.6.SEC03 |
| Maven | org.springframework:spring-core | >=2.5.7.SR0,<2.5.7.SR023 | 2.5.7.SR023 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| springsource | spring_framework | {"endIncluding":"2.5.7_sr01"} | |
| springsource | spring_framework | 2.5.0 | |
| springsource | spring_framework | 2.5.1 | |
| springsource | spring_framework | 2.5.2 | |
| springsource | spring_framework | 2.5.3 | |
| springsource | spring_framework | 2.5.4 | |
| springsource | spring_framework | 2.5.5 | |
| springsource | spring_framework | 2.5.6 | |
| springsource | spring_framework | 2.5.7 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.1 | |
| springsource | spring_framework | 3.0.2 | |
| springsource | spring_framework | 3.0.3 | |
| springsource | spring_framework | 3.0.4 | |
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814
- http://rhn.redhat.com/errata/RHSA-2013-0191.html
- http://rhn.redhat.com/errata/RHSA-2013-0192.html
- http://rhn.redhat.com/errata/RHSA-2013-0193.html
- http://rhn.redhat.com/errata/RHSA-2013-0194.html
- http://rhn.redhat.com/errata/RHSA-2013-0195.html
- http://rhn.redhat.com/errata/RHSA-2013-0196.html
- http://rhn.redhat.com/errata/RHSA-2013-0197.html
- http://rhn.redhat.com/errata/RHSA-2013-0198.html
- http://rhn.redhat.com/errata/RHSA-2013-0221.html
- http://rhn.redhat.com/errata/RHSA-2013-0533.html
- http://secunia.com/advisories/51984
- http://secunia.com/advisories/52054
- http://secunia.com/advisories/55155
- http://support.springsource.com/security/cve-2011-2730
- http://www.debian.org/security/2012/dsa-2504
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.securitytracker.com/id/1029151
- https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit
- https://nvd.nist.gov/vuln/detail/CVE-2011-2730
- https://github.com/spring-projects/spring-framework/commit/62ccc8dd7e645fb91705d44919abac838cb5ca3f
- https://github.com/spring-projects/spring-framework/commit/9772eb8410e37cd0bdec0d1b133218446c778beb
- https://github.com/spring-projects/spring-framework/commit/b8d86330d1fadc645630416c3aaebf131bf749fc
- https://github.com/spring-projects/spring-framework
CWEs
CWE-16
Verify integrity in audit chain (admin only). AS-IS.