Improper Input Validation Affecting org.glassfish:jakarta.el Open this link in a new tab package, versions [0,3.0.4)


0.0
high
  • Attack Complexity

    Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGGLASSFISH-1297098

  • published

    27 May 2021

  • disclosed

    27 May 2021

  • credit

    @pwntester (Alvaro Muñoz)

How to fix?

Upgrade org.glassfish:jakarta.el to version 3.0.4 or higher.

Overview

Affected versions of this package are vulnerable to Improper Input Validation. A bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

The bug seems to be in the parser’s grammar - $ or # followed by a character that is not {, $ or # will be treated as a literal expression. The pertinent case is when the character following the $ or # chars is a backslash. The parser will then consume the backslash as part of the literal expression and will leave the character that follows it unescaped.

Vulnerable Code

<DEFAULT> TOKEN :
{
  < LITERAL_EXPRESSION:
    ((~["\\", "$", "#"])
      | ("\\" ("\\" | "$" | "#"))
      | ("$" ~["{", "$", "#"])
      | ("#" ~["{", "$", "#"])
    )+
    | "$"
    | "#"
  >
|
  < START_DYNAMIC_EXPRESSION: "${" > {stack.push(DEFAULT);}: IN_EXPRESSION
|
  < START_DEFERRED_EXPRESSION: "#{" > {stack.push(DEFAULT);}: IN_EXPRESSION
}