jakarta.el-3.0.3.jar vulnerability 

Issue date: 13-12-2021
Affects versions: 14.6

Security Issue ID

SECURITY-262

 

Affected Product Version(s)

14.6.3 and previous releases.

 

Severity 

medium


Description

CVE-2021-28170  suppress

 

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CWE-20 Improper Input Validation

CVSSv2:

  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I/A:N

CVSSv3:

  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

 

Instructions

Customers are recommended to upgrade to the version 14.7.0.