Vulnerabilities > CVE-2021-28170 - Expression Language Injection vulnerability in multiple products

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

NVD

Published: 2021-05-26

Updated: 2022-04-25

Summary

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

Vulnerable Configurations

Part	Description	Count
Application	Eclipse Eclipse Jakarta Expression Language 3.0.2 Eclipse Jakarta Expression Language 3.0.3	2
Application	Quarkus Quarkus Quarkus 0.0.1 Quarkus Quarkus 0.1.0 Quarkus Quarkus 0.2.0 Quarkus Quarkus 0.3.0 Quarkus Quarkus 0.4.0 Quarkus Quarkus 0.5.0 Quarkus Quarkus 0.6.0 Quarkus Quarkus 0.7.0 Quarkus Quarkus 0.8.0 Quarkus Quarkus 0.9.0 Quarkus Quarkus 0.9.1 Quarkus Quarkus 0.10.0 Quarkus Quarkus 0.11.0 Quarkus Quarkus 0.12.0 Quarkus Quarkus 0.13.0 Quarkus Quarkus 0.13.1 Quarkus Quarkus 0.13.2 Quarkus Quarkus 0.13.3 Quarkus Quarkus 0.14.0 Quarkus Quarkus 0.15.0 Quarkus Quarkus 0.16.0 Quarkus Quarkus 0.16.1 Quarkus Quarkus 0.17.0 Quarkus Quarkus 0.18.0 Quarkus Quarkus 0.19.0 Quarkus Quarkus 0.19.1 Quarkus Quarkus 0.20.0 Quarkus Quarkus 0.21.0 Quarkus Quarkus 0.21.1 Quarkus Quarkus 0.21.2 Quarkus Quarkus 0.22.0 Quarkus Quarkus 0.23.0 Quarkus Quarkus 0.23.1 Quarkus Quarkus 0.23.2 Quarkus Quarkus 0.24.0 Quarkus Quarkus 0.25.0 Quarkus Quarkus 0.26.0 Quarkus Quarkus 0.26.1 Quarkus Quarkus 0.27.0 Quarkus Quarkus 0.28.0 Quarkus Quarkus 0.28.1 Quarkus Quarkus 1.0.0 Quarkus Quarkus 1.0.1 Quarkus Quarkus 1.1.0 Quarkus Quarkus 1.1.1 Quarkus Quarkus 1.2.0 Quarkus Quarkus 1.2.1 Quarkus Quarkus 1.3.0 Quarkus Quarkus 1.3.1 Quarkus Quarkus 1.3.2 Quarkus Quarkus 1.3.3 Quarkus Quarkus 1.3.4 Quarkus Quarkus 1.4.0 Quarkus Quarkus 1.4.1 Quarkus Quarkus 1.4.2 Quarkus Quarkus 1.5.0 Quarkus Quarkus 1.5.1 Quarkus Quarkus 1.5.2 Quarkus Quarkus 1.6.0 Quarkus Quarkus 1.6.1 Quarkus Quarkus 1.7.0 Quarkus Quarkus 1.7.1 Quarkus Quarkus 1.7.2 Quarkus Quarkus 1.7.3 Quarkus Quarkus 1.7.4 Quarkus Quarkus 1.7.5 Quarkus Quarkus 1.7.6 Quarkus Quarkus 1.8.0 Quarkus Quarkus 1.8.1 Quarkus Quarkus 1.8.2 Quarkus Quarkus 1.8.3 Quarkus Quarkus 1.9.0 Quarkus Quarkus 1.9.1 Quarkus Quarkus 1.9.2 Quarkus Quarkus 1.10.0 Quarkus Quarkus 1.10.1 Quarkus Quarkus 1.10.2 Quarkus Quarkus 1.10.3 Quarkus Quarkus 1.10.4 Quarkus Quarkus 1.10.5 Quarkus Quarkus 1.11.0 Quarkus Quarkus 1.11.1 Quarkus Quarkus 1.11.2 Quarkus Quarkus 1.11.3 Quarkus Quarkus 1.11.4 Quarkus Quarkus 1.11.5 Quarkus Quarkus 1.11.6 Quarkus Quarkus 1.11.7 Quarkus Quarkus 1.12.0 Quarkus Quarkus 1.12.1 Quarkus Quarkus 1.12.2 Quarkus Quarkus 1.13.0 Quarkus Quarkus 1.13.1 Quarkus Quarkus 1.13.2 Quarkus Quarkus 1.13.3 Quarkus Quarkus 1.13.4 Quarkus Quarkus 1.13.5 Quarkus Quarkus 1.13.6 Quarkus Quarkus 1.13.7 Quarkus Quarkus 2.0.0 Quarkus Quarkus 2.0.1 Quarkus Quarkus 2.0.2 Quarkus Quarkus 2.0.3 Quarkus Quarkus 2.1.0 Quarkus Quarkus 2.1.1 Quarkus Quarkus 2.1.2 Quarkus Quarkus 2.1.3 Quarkus Quarkus 2.1.4 Quarkus Quarkus 2.2.0 Quarkus Quarkus 2.2.1 Quarkus Quarkus 2.2.2 Quarkus Quarkus 2.2.3	155
Application	Oracle Oracle Communications Cloud Native Core Policy 1.14.0 Oracle Weblogic Server 14.1.1.0.0	2

Common Weakness Enumeration (CWE)

CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References