CVE-2021-28170

Aliases:GHSA-v6w3-2prq-h95f
Advisory lineage Upstream: 0 Downstream: 8
Modified
Published: 26 May 2021, 21:55
Last modified:03 Aug 2024, 21:40

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
5.3 MEDIUM
v3.1 (nvd)
EPSS Score
0.11% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected

Timeline

26 May 2021, 21:55
Published
Vulnerability first disclosed
03 Aug 2024, 21:40
Last Modified
Vulnerability information updated

Description

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CVSS Metrics

  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.11% Percentile: 30%

Techniques & Countermeasures

  • CWE-917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

    The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

  • CWE-20Improper Input Validation

    The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

  • eclipsejakarta_expression_language

    ≤ 3.0.3

  • com.sun.elel-ri

    < 3.0.4

  • org.glassfishjakarta.el

    < 3.0.4

  • org.glassfishjavax.el

    ≤ 3.0.1-b12

  • oraclecommunications_cloud_native_core_policy

    1.14.0

  • UnknownWebLogic Server

    14.1.1.0.0

  • quarkusquarkus

    < 2.3.0

  • the eclipse foundationjakarta expression language implementation

    ≥ unspecified, ≤ 3.0.3

References (9)