Description
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
Analysis
No analysis available yet.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| The Eclipse Foundation | Jakarta Expression Language Implementation | affected |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
Configuration 3 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| EAP 7.3.9 release | |||
| jakarta.el | cpe:/a:redhat:jboss_enterprise_application_platform:7.3 | RHSA-2021:3471 | 2021-09-08T00:00:00Z |
| EAP 7.4.1 release | |||
| cpe:/a:redhat:jboss_enterprise_application_platform:7.4 | RHSA-2021:3660 | 2021-09-23T00:00:00Z | |
| Red Hat build of Quarkus 2.2.5 | |||
| jakarta.el | cpe:/a:redhat:openshift_application_runtimes:1.0 | RHSA-2022:0589 | 2022-02-21T00:00:00Z |
| Red Hat EAP-XP 2.0.0 via EAP 7.3.x base | |||
| jakarta.el | cpe:/a:redhat:jbosseapxp | RHSA-2021:3516 | 2021-09-13T00:00:00Z |
| Red Hat Fuse 7.10 | |||
| jakarta.el | cpe:/a:redhat:jboss_fuse:7 | RHSA-2021:5134 | 2021-12-14T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | |||
| eap7-glassfish-el-0:3.0.1-4.b08_redhat_00005.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2025:9582 | 2025-06-25T00:00:00Z |
| eap7-hibernate-0:5.1.17-3.Final_redhat_00004.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2025:9582 | 2025-06-25T00:00:00Z |
| eap7-jackson-databind-0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2025:9582 | 2025-06-25T00:00:00Z |
| eap7-jboss-ejb-client-0:4.0.12-1.Final_redhat_00002.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2025:9582 | 2025-06-25T00:00:00Z |
| eap7-netty-0:4.1.63-2.Final_redhat_00003.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2025:9582 | 2025-06-25T00:00:00Z |
| eap7-undertow-0:1.4.18-16.SP14_redhat_00001.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2025:9582 | 2025-06-25T00:00:00Z |
| eap7-wildfly-0:7.1.11-4.GA_redhat_00002.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2025:9582 | 2025-06-25T00:00:00Z |
| eap7-wildfly-elytron-0:1.1.14-1.Final_redhat_00001.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2025:9582 | 2025-06-25T00:00:00Z |
| eap7-wildfly-http-client-0:1.0.21-1.Final_redhat_00001.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2025:9582 | 2025-06-25T00:00:00Z |
| eap7-wildfly-naming-client-0:1.0.13-1.Final_redhat_00001.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2025:9582 | 2025-06-25T00:00:00Z |
| eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2025:9582 | 2025-06-25T00:00:00Z |
| eap7-wildfly-openssl-linux-0:1.0.12-6.Final_redhat_00001.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2025:9582 | 2025-06-25T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 | |||
| eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 | RHSA-2021:3466 | 2021-09-08T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 | |||
| eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 | RHSA-2021:3467 | 2021-09-08T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 | |||
| eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 | RHSA-2021:3468 | 2021-09-08T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | |||
| eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2021:3658 | 2021-09-23T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | |||
| eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2021:3656 | 2021-09-23T00:00:00Z |
| Red Hat Single Sign-On 7.4.9 | |||
| jakarta.el | cpe:/a:redhat:red_hat_single_sign_on:7 | RHSA-2021:3534 | 2021-09-14T00:00:00Z |
| RHINT Camel-K 1.6.4 | |||
| jakarta.el | cpe:/a:redhat:integration:1 | RHSA-2022:1029 | 2022-03-23T00:00:00Z |
| RHINT Camel-Q 2.2.1 | |||
| jakarta.el | cpe:/a:redhat:camel_quarkus:2.2.1 | RHSA-2022:1013 | 2022-03-22T00:00:00Z |
No data available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2021-2257 | In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid. |
 Github GHSA |
GHSA-v6w3-2prq-h95f | Improper Input Validation in Jakarta Expression Language |
References
History
Wed, 25 Jun 2025 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat jboss Enterprise Application Platform Eus
|
|
| CPEs | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | |
| Vendors & Products |
Redhat jboss Enterprise Application Platform Eus
|
Subscriptions
Eclipse
Subscribe
Jakarta Expression Language
Subscribe
Oracle
Subscribe
Communications Cloud Native Core Policy
Subscribe
Weblogic Server
Subscribe
Quarkus
Subscribe
Quarkus
Subscribe
Redhat
Subscribe
Camel Quarkus
Subscribe
Integration
Subscribe
Jboss Enterprise Application Platform
Subscribe
Jboss Enterprise Application Platform Eus
Subscribe
Jboss Fuse
Subscribe
Jbosseapxp
Subscribe
Openshift Application Runtimes
Subscribe
Red Hat Single Sign On
Subscribe
MITRE
Status: PUBLISHED
Assigner: eclipse
Published:
Updated: 2024-08-03T21:40:12.240Z
Reserved: 2021-03-12T00:00:00.000Z
Link: CVE-2021-28170
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-05-26T22:15:07.980
Modified: 2024-11-21T05:59:14.993
Link: CVE-2021-28170
Redhat
OpenCVE Enrichment
No data.