Spring Web Flow Known Vulnerabilities and Issues

Components of Spring Web Flow

Spring Web Flow is built with the following components. Please see the security advisories information for each component for more information on the security vulnerabilities and issues that may affect that component.

Spring Web Flow is built using the following versions of these components

Security vulnerabilities may also be present in earlier unsupported versions of Spring Web Flow and / or its dependencies.

Spring Web Flow is not vulnerable to the Dojo security issues announced on 11 March 2010 by default. It is only vulnerable if the ResourceServlet is re-configured to serve vulnerable files. Users working with a version of Spring Web Flow that includes vulnerable versions of Dojo are advised not to change the default configuration of the ResourceServlet. The 2.0.9 release of Spring Web Flow includes an updated Dojo component that is not vulnerable to the issues announced on 11 March 2010.

Spring Web Flow 2.1 is not vulnerable to CVE-2010-1622 by default since it uses Spring EL for data binding. If configured to use Spring MVC for data binding it is not vulnerable since it ships with a non-vulnerable version of the Spring Framework. If configured to use Unified EL or OGNL for data binding then the fields used for binding must be explicitly defined to avoid the vulnerability.

Spring Web Flow 2.0 uses Unified EL or OGNL for data binding so the fields used for binding must be explicitly defined to avoid the vulnerability. If configured to use Spring MVC for data binding then the Spring Framework version used must be updated to 2.5.6.SEC02 to avoid the vulnerability.

Known Vulnerabilities in Spring Web Flow

There are no known vulnerabilities in Spring Web Flow over and above those known to exist in the components of Spring Web Flow