In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Eclipse
  • Jakarta Expression Language
Oracle
  • Communications Cloud Native Core Policy
  • Weblogic Server
Quarkus
  • Quarkus
Redhat
  • Camel Quarkus
  • Integration
  • Jboss Enterprise Application Platform
  • Jboss Fuse
  • Jbosseapxp
  • Openshift Application Runtimes
  • Red Hat Single Sign On

Configuration 1 [-]

cpe:2.3:a:eclipse:jakarta_expression_language:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
Package CPE Advisory Released Date
EAP 7.3.9 release
jakarta.el cpe:/a:redhat:jboss_enterprise_application_platform:7.3 RHSA-2021:3471 2021-09-08T00:00:00Z
EAP 7.4.1 release
cpe:/a:redhat:jboss_enterprise_application_platform:7.4 RHSA-2021:3660 2021-09-23T00:00:00Z
Red Hat build of Quarkus 2.2.5
jakarta.el cpe:/a:redhat:openshift_application_runtimes:1.0 RHSA-2022:0589 2022-02-21T00:00:00Z
Red Hat EAP-XP 2.0.0 via EAP 7.3.x base
jakarta.el cpe:/a:redhat:jbosseapxp RHSA-2021:3516 2021-09-13T00:00:00Z
Red Hat Fuse 7.10
jakarta.el cpe:/a:redhat:jboss_fuse:7 RHSA-2021:5134 2021-12-14T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8
eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 RHSA-2021:3658 2021-09-23T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 RHSA-2021:3656 2021-09-23T00:00:00Z
Red Hat Single Sign-On 7.4.9
jakarta.el cpe:/a:redhat:red_hat_single_sign_on:7 RHSA-2021:3534 2021-09-14T00:00:00Z
RHINT Camel-K 1.6.4
jakarta.el cpe:/a:redhat:integration:1 RHSA-2022:1029 2022-03-23T00:00:00Z
RHINT Camel-Q 2.2.1
jakarta.el cpe:/a:redhat:camel_quarkus:2.2.1 RHSA-2022:1013 2022-03-22T00:00:00Z
References
Link Providers
https://github.com/eclipse-ee4j/el-ri/issues/155 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-28170 cve-icon
https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/ cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-28170 cve-icon
https://www.oracle.com/security-alerts/cpuapr2022.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2021-05-26T21:55:09

Updated: 2024-08-03T21:40:12.240Z

Reserved: 2021-03-12T00:00:00

Link: CVE-2021-28170

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2021-05-26T22:15:07.980

Modified: 2022-04-25T20:15:10.337

Link: CVE-2021-28170

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-04-01T00:00:00Z

Links: CVE-2021-28170 - Bugzilla