CVE-2021-28170

NameCVE-2021-28170
DescriptionIn the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs989259

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jakarta-el-api (PTS)bullseye4.0.0-2vulnerable
bookworm, sid5.0.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jakarta-el-apisource(unstable)(unfixed)unimportant989259

Notes

https://github.com/eclipse-ee4j/el-ri/issues/155
https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/
Only affects the EL reference implementation which isn't built into the binary packages
Search for package or bug name: Reporting problems