CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

196 vulnerabilities with CWE-917
CVE-2022-24847 HIGH
GeoServer < 2.19.6 and 2.20.0-2.20.4 - Authenticated Expression Language Injection via JNDI Lookup
CVSS 7.2
CVE-2022-24818 HIGH
GeoTools < 24.6 - Authenticated Expression Language Injection via JNDI Lookup
CVSS 8.2
CVE-2022-22963 CRITICAL KEV
Spring Cloud Function < 3.1.6 - Remote Code Execution via SpEL Routing Expression
CVSS 9.8
CVE-2022-22947 CRITICAL KEV
Spring Cloud Gateway Remote Code Execution
CVSS 10.0
CVE-2021-31805 CRITICAL
Apache Struts 2.0.0-2.5.29 - Remote Code Execution via Forced OGNL Evaluation
CVSS 9.8
CVE-2021-45046 CRITICAL KEV
Apache Log4j < 2.12.2 - Remote Code Execution
CVSS 9.0
CVE-2021-44228 CRITICAL KEV
Log4Shell HTTP Header Injection
CVSS 10.0
CVE-2021-32834 HIGH
Eclipse Keti - Remote Code Execution via Groovy Script Injection
CVSS 8.2
CVE-2021-26084 CRITICAL KEV
Atlassian Confluence Server and Data Center - OGNL Injection
CVSS 9.8
CVE-2021-28170 MEDIUM
Jakarta Expression Language <3.0.3 - Info Disclosure
CVSS 5.3
CVE-2020-26565 HIGH
ObjectPlanet Opinio <7.14 - Code Injection
CVSS 7.5
CVE-2020-17530 CRITICAL KEV
Apache Struts 2 Forced Multi OGNL Evaluation
CVSS 9.8
CVE-2020-7195 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via iccselectrules Expression Language Injection
CVSS 8.8
CVE-2020-7194 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2020-7193 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2020-7192 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2020-7191 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2020-7190 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via DeviceSelect Expression Language Injection
CVSS 8.8
CVE-2020-7189 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2020-7188 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2020-7187 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Reportpage Index Expression Language Injection
CVSS 8.8
CVE-2020-7186 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2020-7185 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2020-7184 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
CVE-2020-7183 HIGH
HPE Intelligent Management Center < 7.3 - Remote Code Execution via Expression Language Injection
CVSS 8.8
Details
Vulnerabilities 196
Links
MITRE CWE Entry Search this CWE With Exploits