CVE-2021-28170 – jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate

https://notcve.org/view.php?id=CVE-2021-28170

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid. En la implementación de Jakarta Expression Language versiones 3.0.3 y anteriores, un bug en la función ELParserTokenManager permite que las expresiones EL no válidas sean evaluadas como si fueran válidas • https://github.com/eclipse-ee4j/el-ri/issues/155 https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2021-28170 https://bugzilla.redhat.com/show_bug.cgi?id=1965497 • CWE-20: Improper Input Validation CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •