Vulnerabilities > CVE-2021-32834 - Expression Language Injection vulnerability in Eclipse Keti

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

eclipse

CWE-917

NVD

Published: 2021-09-09

Updated: 2022-04-25

Summary

Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a user able to create Policy Sets can run arbitrary code by sending malicious Groovy scripts which will escape the configured Groovy sandbox. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063.

Vulnerable Configurations

Part	Description	Count
Application	Eclipse Eclipse Keti -	1

Common Weakness Enumeration (CWE)

CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

References

https://securitylab.github.com/advisories/GHSL-2021-063-eclipse-keti/