CVE-2021-28170

MEDIUM

Jakarta Expression Language <3.0.3 - Info Disclosure

Title source: llm

Description

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

References (3)

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/eclipse-ee4j/el-ri/issues/155

[Exploit, Third Party Advisory] https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 5.3

EPSS 0.0011

EPSS Percentile 29.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-917 CWE-20

Status published

Products (7)

com.sun.el/el-ri 0 - 3.0.4Maven

eclipse/jakarta_expression_language < 3.0.3

oracle/communications_cloud_native_core_policy 1.14.0

oracle/weblogic_server 14.1.1.0.0

org.glassfish/jakarta.el 0 - 3.0.4Maven

org.glassfish/javax.el 0Maven

quarkus/quarkus < 2.3.0

Published May 26, 2021

Tracked Since Feb 18, 2026