Description
The Spring Expression Language (SpEL) provides a powerful expression language for querying and manipulating an object graph at runtime.
The Spring Boot framework improperly handled exceptions when preparing Whitelabel Error pages and user-controlled exception messages were evaluated as SpEL expressions allowing an attacker to execute arbitrary code.
Remediation
Upgrade to the latest version of Spring Boot.
Spring Boot versions 1.2.8 and 1.3.1 have been released to fix this vulnerability.