CVE-2021-28170Improper Input Validation in Eclipse Foundation Jakarta Expression Language Implementation

CWE-20Improper Input ValidationCWE-917Expression Language Injection10 documents7 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 69.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
QuarkusTHE Eclipse Foundation Jakarta Expression Language ImplementationEclipse Jakarta Expression Language+2 more
Timeline
PublishedMay 26
Latest updateApr 15

Description

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

NVDquarkus/quarkus< 2.3.0
NVDoracle/weblogic_server14.1.1.0.0

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Improper Input Validation in Jakarta Expression Language2021-10-06
GHSA
Improper Input Validation in Jakarta Expression Language2021-10-06
CVEList
CVE-2021-28170: In the Jakarta Expression Language implementation 32021-05-26
OSV
CVE-2021-28170: In the Jakarta Expression Language implementation 32021-05-26

📋Vendor Advisories

5
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Common Core (Jakarta Expression Language) — CVE-2021-281702025-04-15
Oracle
Oracle Oracle Commerce Risk Matrix: Dynamo Application Framework (Jakarta Expression Language) — CVE-2021-281702024-10-15
Oracle
Oracle Oracle Communications Risk Matrix: Policy (Jakarta) — CVE-2021-281702022-04-15
Red Hat
jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate2021-04-01
Debian
CVE-2021-28170: jakarta-el-api - In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in th...2021
CVE-2021-28170 — Improper Input Validation | cvebase