Spring Boot Default Error Page Expression Language Injection Exploit

Spring Boot Framework 1.2.7 provides a default error page (also known as "Whitelabel Error Page"), that's prone to Spring Expression Language injection when the type of a parameter expected is not expected to be a string but a string is provided. Applications based on Spring Boot that don't deactivate the feature, or customize it in such a way as to stop the injection, are thus susceptible to execution of some Java statements and, in particular, to OS command injections. This module checks all the parameters in the given pages and, if at least one parameter is vulnerable to the injection, installs an OS Agent.
Vulnerabilty ID: 
CVE-2013-1966
Product Version: 
2015_R1
Released Date: 
Thursday, February 11, 2016 - 00:00