Vulnerabilities > CVE-2021-28170 - Expression Language Injection vulnerability in multiple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
eclipse
quarkus
oracle
CWE-917

Summary

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

Vulnerable Configurations

Part Description Count
Application
Eclipse
2
Application
Quarkus
155
Application
Oracle
2