Description
The Spring Expression Language (SpEL) provides a powerful expression language for querying and manipulating an object graph at runtime.
The Spring Boot framework improperly handled exceptions when preparing Whitelabel Error pages and user-controlled exception messages were evaluated as SpEL expressions allowing an attacker to execute arbitrary code.
Remediation
Upgrade to the latest version of Spring Boot.
Spring Boot versions 1.2.8 and 1.3.1 have been released to fix this vulnerability.
References
Related Vulnerabilities
WordPress Plugin WordPress PDF Light Viewer Command Injection (1.4.11)
Drupal Core 6.x Remote Code Execution (6.0 - 6.38)
WordPress Plugin WP e-Commerce Shop Styling Remote File Inclusion (1.7.2)
Drupal Core 4.6.x Arbitrary Code Execution (4.6.0 - 4.6.7)
WordPress Plugin EWWW Image Optimizer Remote Code Execution (2.8.3)