CVE-2011-2730
First published: Wed Dec 05 2012(Updated: )
Spring Framework could allow a remote attacker to obtain sensitive information, caused by an error when handling the Expression Language. An attacker could exploit this vulnerability to obtain classpaths and other sensitive information.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SpringSource Spring Framework | =2.5.0 | |
| SpringSource Spring Framework | =3.0.1 | |
| SpringSource Spring Framework | =2.5.3 | |
| SpringSource Spring Framework | =3.0.2 | |
| SpringSource Spring Framework | =2.5.5 | |
| SpringSource Spring Framework | =2.5.6 | |
| SpringSource Spring Framework | <=2.5.7_sr01 | |
| SpringSource Spring Framework | =2.5.0-rc1 | |
| SpringSource Spring Framework | =3.0.4 | |
| SpringSource Spring Framework | =2.5.4 | |
| SpringSource Spring Framework | =2.5.0-rc2 | |
| SpringSource Spring Framework | <=3.0.5 | |
| SpringSource Spring Framework | =3.0.3 | |
| SpringSource Spring Framework | =2.5.2 | |
| SpringSource Spring Framework | =2.5.7 | |
| SpringSource Spring Framework | =3.0.0 | |
| SpringSource Spring Framework | =2.5.1 | |
| IBM Security Directory Suite VA | <=8.0.1-8.0.1.19 | |
| maven/org.springframework:spring-core | >=2.5.7.SR0<=2.5.7.SR022 | 2.5.7.SR023 |
| maven/org.springframework:spring-core | <=2.5.6.SEC02 | 2.5.6.SEC03 |
| maven/org.springframework:spring-core | >=3.0.0<3.0.6 | 3.0.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit
- http://www.debian.org/security/2012/dsa-2504
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814
- http://support.springsource.com/security/cve-2011-2730
- http://rhn.redhat.com/errata/RHSA-2013-0194.html
- http://secunia.com/advisories/51984
- http://rhn.redhat.com/errata/RHSA-2013-0195.html
- http://secunia.com/advisories/52054
- http://rhn.redhat.com/errata/RHSA-2013-0198.html
- http://rhn.redhat.com/errata/RHSA-2013-0197.html
- http://rhn.redhat.com/errata/RHSA-2013-0191.html
- http://rhn.redhat.com/errata/RHSA-2013-0196.html
- http://rhn.redhat.com/errata/RHSA-2013-0221.html
- http://rhn.redhat.com/errata/RHSA-2013-0193.html
- http://rhn.redhat.com/errata/RHSA-2013-0192.html
- http://secunia.com/advisories/55155
- http://www.securitytracker.com/id/1029151
- http://rhn.redhat.com/errata/RHSA-2013-0533.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69688
- https://www.ibm.com/support/pages/node/7001693 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2011-2730
- https://github.com/spring-projects/spring-framework/commit/62ccc8dd7e645fb91705d44919abac838cb5ca3f
- https://github.com/spring-projects/spring-framework/commit/9772eb8410e37cd0bdec0d1b133218446c778beb
- https://github.com/spring-projects/spring-framework/commit/b8d86330d1fadc645630416c3aaebf131bf749fc
- https://github.com/advisories/GHSA-wv88-pf73-x22p (Advisory)
Frequently Asked Questions
What is the vulnerability ID of this vulnerability?
The vulnerability ID is CVE-2011-2730.
What is the severity of CVE-2011-2730?
The severity of CVE-2011-2730 is high with a CVSS score of 7.5.
Which software versions are affected by CVE-2011-2730?
The affected software versions are SpringSource Spring Framework 2.5.0, 3.0.1, 2.5.3, 3.0.2, 2.5.5, 2.5.6, and up to 2.5.7_sr01.
How can a remote attacker exploit this vulnerability?
A remote attacker can exploit this vulnerability by evaluating Expression Language (EL) expressions in tags twice.
Are there any references for CVE-2011-2730?
Yes, you can refer to the following links: [1](https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit), [2](http://www.debian.org/security/2012/dsa-2504), [3](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814).
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-wv88-pf73-x22p
- alias/CVE-2011-2730
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/severity
- agent/softwarecombine
- agent/event
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- collector/ibm-support
- source/IBM
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/springsource
- canonical/springsource spring framework
- version/springsource spring framework/2.5.0
- version/springsource spring framework/3.0.1
- version/springsource spring framework/2.5.3
- version/springsource spring framework/3.0.2
- version/springsource spring framework/2.5.5
- version/springsource spring framework/2.5.6
- version/springsource spring framework/2.5.7_sr01
- version/springsource spring framework/2.5.0-rc1
- version/springsource spring framework/3.0.4
- version/springsource spring framework/2.5.4
- version/springsource spring framework/2.5.0-rc2
- version/springsource spring framework/3.0.5
- version/springsource spring framework/3.0.3
- version/springsource spring framework/2.5.2
- version/springsource spring framework/2.5.7
- version/springsource spring framework/3.0.0
- version/springsource spring framework/2.5.1
- package-manager/maven
- vendor/ibm
- canonical/ibm security directory suite va
- version/ibm security directory suite va/8.0.1-8.0.1.19