CVE-2021-28170
Incorrect Authorization vulnerability in el-ri (Maven)
What is CVE-2021-28170 About?
This incorrect authorization vulnerability exists in the Jakarta Expression Language implementation 3.0.3 and earlier due to a bug in the ELParserTokenManager. This allows invalid EL expressions to be evaluated as if they were valid. The impact is a potential bypass of security controls or unintended execution. Exploitation requires crafting specific invalid EL expressions.
Affected Software
- com.sun.el:el-ri
- <3.0.4
- org.glassfish:jakarta.el
- <3.0.4
- org.glassfish:javax.el
- <=3.0.1-b12
Technical Details
The vulnerability in Jakarta Expression Language (EL) implementation 3.0.3 and earlier stems from a bug in the ELParserTokenManager. This bug causes the parser to incorrectly tokenize and subsequently evaluate EL expressions that are syntactically invalid according to the EL specification. Specifically, the ELParserTokenManager may permit malformed expressions to pass its initial parsing stage as if they were legitimate. This misinterpretation can lead to situations where an attacker-controlled, ostensibly 'invalid' EL expression is nonetheless processed and executed by the EL engine, potentially leading to unauthorized data access, information disclosure, or even remote code execution if the application context allows. The attack vector involves injecting such malformed EL expressions into parts of an application that are parsed by the vulnerable EL engine.
What is the Impact of CVE-2021-28170?
Successful exploitation may allow attackers to execute invalid EL expressions, leading to a bypass of security controls or unintended code execution.
What is the Exploitability of CVE-2021-28170?
Exploitation of this vulnerability is of moderate complexity, requiring knowledge of the Jakarta EL syntax and the specific parsing bug. Authentication requirements depend on whether the attacker needs to be authenticated to submit EL expressions to the application. Generally, no elevated privileges are inherently required for the exploitation itself, beyond the ability to submit data processed by the EL engine. This can be a remote attack if EL expressions are processed from untrusted network input. The primary prerequisite is that the application uses the vulnerable EL implementation (3.0.3 or earlier) and processes user-controlled data as EL expressions. Risk factors include applications that expose EL expression input without strict white-listing or sanitization, increasing the likelihood of successful arbitrary EL evaluation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-28170?
Available Upgrade Options
- org.glassfish:jakarta.el
- <3.0.4 → Upgrade to 3.0.4
- com.sun.el:el-ri
- <3.0.4 → Upgrade to 3.0.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-v6w3-2prq-h95f
- https://github.com/eclipse-ee4j/el-ri/issues/155
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/
- https://github.com/eclipse-ee4j/el-ri/issues/155
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el
- https://security.snyk.io/vuln/SNYK-JAVA-ORGGLASSFISH-1297098
- https://security.snyk.io/vuln/SNYK-JAVA-ORGGLASSFISH-2841368
- https://github.com/eclipse-ee4j/el-ri
What are Similar Vulnerabilities to CVE-2021-28170?
Similar Vulnerabilities: CVE-2020-13936 , CVE-2018-11776 , CVE-2017-1000486 , CVE-2017-1000487 , CVE-2017-1000488
