Improper Input Validation Affecting org.glassfish:jakarta.el Open this link in a new tab package, versions [0,3.0.4)
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-JAVA-ORGGLASSFISH-1297098
-
published
27 May 2021
-
disclosed
27 May 2021
-
credit
@pwntester (Alvaro Muñoz)
Introduced: 27 May 2021
CVE-2021-28170 Open this link in a new tabHow to fix?
Upgrade org.glassfish:jakarta.el to version 3.0.4 or higher.
Overview
Affected versions of this package are vulnerable to Improper Input Validation. A bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
The bug seems to be in the parser’s grammar - $ or # followed by a character that is not {, $ or # will be treated as a literal expression. The pertinent case is when the character following the $ or # chars is a backslash. The parser will then consume the backslash as part of the literal expression and will leave the character that follows it unescaped.
Vulnerable Code
<DEFAULT> TOKEN :
{
< LITERAL_EXPRESSION:
((~["\\", "$", "#"])
| ("\\" ("\\" | "$" | "#"))
| ("$" ~["{", "$", "#"])
| ("#" ~["{", "$", "#"])
)+
| "$"
| "#"
>
|
< START_DYNAMIC_EXPRESSION: "${" > {stack.push(DEFAULT);}: IN_EXPRESSION
|
< START_DEFERRED_EXPRESSION: "#{" > {stack.push(DEFAULT);}: IN_EXPRESSION
}