Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Spring Boot Whitelabel Error Page SpEL - Vulnerability Database

Spring Boot Whitelabel Error Page SpEL

Description

The Spring Expression Language (SpEL) provides a powerful expression language for querying and manipulating an object graph at runtime.

The Spring Boot framework improperly handled exceptions when preparing Whitelabel Error pages and user-controlled exception messages were evaluated as SpEL expressions allowing an attacker to execute arbitrary code.

Remediation

Upgrade to the latest version of Spring Boot. <br/>Spring Boot versions 1.2.8 and 1.3.1 have been released to fix this vulnerability.

References

Spring Boot RCE
YAHOO! RCE VIA SPRING ENGINE SSTI
whitelabel error page vulnerability
Spring Boot 1.3.1 and 1.2.8 available now

Related Vulnerabilities

Server-Side Template Injection Critical
Common tags: Code Execution Server Side Template Injection
VMware Workspace ONE Access SSTI (CVE-2022-22954) High
Common tags: Code Execution Server Side Template Injection
CrushFTP SSTI (CVE-2024-4040) Critical
Common tags: Code Execution Server Side Template Injection
Apache Log4j2 JNDI Remote Code Execution (404 page handler) Critical
Common tags: Code Execution Error Handling
WordPress 2.0.2 Username Remote PHP Code Injection Vulnerability (0.6.2 - 2.0.2) High
Common tags: Code Execution

Severity

High

Classification

CWE-94
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution
Error Handling
Server Side Template Injection