Improper Input Validation Affecting org.glassfish:javax.el package, versions [0,]
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGGLASSFISH-2841368
- published 27 May 2021
- disclosed 27 May 2021
- credit @pwntester (Alvaro Muñoz)
Introduced: 27 May 2021
CVE-2021-28170 Open this link in a new tabHow to fix?
There is no fixed version for org.glassfish:javax.el.
Overview
Affected versions of this package are vulnerable to Improper Input Validation. A bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
The bug seems to be in the parser’s grammar - $ or # followed by a character that is not {, $ or # will be treated as a literal expression. The pertinent case is when the character following the $ or # chars is a backslash. The parser will then consume the backslash as part of the literal expression and will leave the character that follows it unescaped.
Note:
org.glassfish:javax.el is deprecated, users can move to use org.glassfish:jakarta.el instead where this issue is first fixed in version 3.0.4.