jakarta.el-3.0.3.jar vulnerability

Issue date: 13-12-2021
Affects versions: 14.6

Security Issue ID

SECURITY-262

Affected Product Version(s)

14.6.3 and previous releases.

Severity

medium

Description

CVE-2021-28170 suppress

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CWE-20 Improper Input Validation

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I/A:N

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Instructions

Customers are recommended to upgrade to the version 14.7.0.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

jakarta.el-3.0.3.jar vulnerability