whitelabel error page vulnerability

Question

whitelabel error page vulnerability

girtsn opened this issue 10 years ago · 2 comments

Hello.
There is an SPEL injection problem (would consider it vulnerability) with whitelabel error page.
If encountering an error message that shows the used value (e.g. type conversion between string and a boolean) and the used value contains SPEL expression, it will be evaluated server side.
I know, the recommendation is to disable the whitelabel, but I suppose this should still get fixed.

Answer 1 · 2015-12-11T17:37:40.000Z

@girtsn This is the repository for sample projects that reproduce issues reported against Spring Boot. To report an issue with Spring Boot itself, please open an issue here. If you do so, can you please provide a concrete example of the problem?

Answer 2 · 2015-12-11T18:11:50.000Z

Thanks for the advise, created spring-projects/spring-boot#4763