CVE-2021-28170 - Vulnerability Details

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Eclipse	Jakarta Expression Language
Oracle	Communications Cloud Native Core Policy Weblogic Server
Quarkus	Quarkus
Redhat	Camel Quarkus Integration Jboss Enterprise Application Platform Jboss Enterprise Application Platform Eus Jboss Fuse Jbosseapxp Openshift Application Runtimes Red Hat Single Sign On

Configuration 1 [-]

cpe:2.3:a:eclipse:jakarta_expression_language:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

Package	CPE	Advisory	Released Date
EAP 7.3.9 release
jakarta.el	cpe:/a:redhat:jboss_enterprise_application_platform:7.3	RHSA-2021:3471	2021-09-08T00:00:00Z
EAP 7.4.1 release
	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2021:3660	2021-09-23T00:00:00Z
Red Hat build of Quarkus 2.2.5
jakarta.el	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:0589	2022-02-21T00:00:00Z
Red Hat EAP-XP 2.0.0 via EAP 7.3.x base
jakarta.el	cpe:/a:redhat:jbosseapxp	RHSA-2021:3516	2021-09-13T00:00:00Z
Red Hat Fuse 7.10
jakarta.el	cpe:/a:redhat:jboss_fuse:7	RHSA-2021:5134	2021-12-14T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
eap7-glassfish-el-0:3.0.1-4.b08_redhat_00005.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-hibernate-0:5.1.17-3.Final_redhat_00004.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-jackson-databind-0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-jboss-ejb-client-0:4.0.12-1.Final_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-netty-0:4.1.63-2.Final_redhat_00003.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-undertow-0:1.4.18-16.SP14_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-0:7.1.11-4.GA_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-elytron-0:1.1.14-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-http-client-0:1.0.21-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-naming-client-0:1.0.13-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-openssl-linux-0:1.0.12-6.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8
eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2021:3658	2021-09-23T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2021:3656	2021-09-23T00:00:00Z
Red Hat Single Sign-On 7.4.9
jakarta.el	cpe:/a:redhat:red_hat_single_sign_on:7	RHSA-2021:3534	2021-09-14T00:00:00Z
RHINT Camel-K 1.6.4
jakarta.el	cpe:/a:redhat:integration:1	RHSA-2022:1029	2022-03-23T00:00:00Z
RHINT Camel-Q 2.2.1
jakarta.el	cpe:/a:redhat:camel_quarkus:2.2.1	RHSA-2022:1013	2022-03-22T00:00:00Z

References

Link	Providers
https://github.com/eclipse-ee4j/el-ri/issues/155
https://nvd.nist.gov/vuln/detail/CVE-2021-28170
https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/
https://www.cve.org/CVERecord?id=CVE-2021-28170
https://www.oracle.com/security-alerts/cpuapr2022.html

History

Wed, 25 Jun 2025 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform Eus
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
Vendors & Products		Redhat jboss Enterprise Application Platform Eus

MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2021-05-26T21:55:09

Updated: 2024-08-03T21:40:12.240Z

Reserved: 2021-03-12T00:00:00

Link: CVE-2021-28170

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-05-26T22:15:07.980

Modified: 2024-11-21T05:59:14.993

Link: CVE-2021-28170

Redhat

Severity : Moderate

Publid Date: 2021-04-01T00:00:00Z

Links: CVE-2021-28170 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Jakarta Expression Language Implementation", "vendor": "The Eclipse Foundation", "versions": [{"lessThanOrEqual": "3.0.3", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "unknown", "version": "next of 3.0.3", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T23:54:35", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/eclipse-ee4j/el-ri/issues/155"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@eclipse.org", "ID": "CVE-2021-28170", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jakarta Expression Language Implementation", "version": {"version_data": [{"version_affected": "<=", "version_value": "3.0.3"}, {"version_affected": "?>", "version_value": "3.0.3"}]}}]}, "vendor_name": "The Eclipse Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/eclipse-ee4j/el-ri/issues/155", "refsource": "CONFIRM", "url": "https://github.com/eclipse-ee4j/el-ri/issues/155"}, {"name": "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/", "refsource": "CONFIRM", "url": "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:40:12.240Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/eclipse-ee4j/el-ri/issues/155"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2021-28170", "datePublished": "2021-05-26T21:55:09", "dateReserved": "2021-03-12T00:00:00", "dateUpdated": "2024-08-03T21:40:12.240Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:jakarta_expression_language:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D4D9319-3396-43B2-8466-D9C40E2D4680", "versionEndIncluding": "3.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB0158D3-CF4B-4355-8F33-D57BFC1C0398", "versionEndExcluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*", "matchCriteriaId": "4479F76A-4B67-41CC-98C7-C76B81050F8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid."}, {"lang": "es", "value": "En la implementaci\u00f3n de Jakarta Expression Language versiones 3.0.3 y anteriores, un bug en la funci\u00f3n ELParserTokenManager permite que las expresiones EL no v\u00e1lidas sean evaluadas como si fueran v\u00e1lidas"}], "id": "CVE-2021-28170", "lastModified": "2024-11-21T05:59:14.993", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-26T22:15:07.980", "references": [{"source": "emo@eclipse.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/eclipse-ee4j/el-ri/issues/155"}, {"source": "emo@eclipse.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/"}, {"source": "emo@eclipse.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/eclipse-ee4j/el-ri/issues/155"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "emo@eclipse.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-917"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3471", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3", "package": "jakarta.el", "product_name": "EAP 7.3.9 release", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3660", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "product_name": "EAP 7.4.1 release", "release_date": "2021-09-23T00:00:00Z"}, {"advisory": "RHSA-2022:0589", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "jakarta.el", "product_name": "Red Hat build of Quarkus 2.2.5", "release_date": "2022-02-21T00:00:00Z"}, {"advisory": "RHSA-2021:3516", "cpe": "cpe:/a:redhat:jbosseapxp", "package": "jakarta.el", "product_name": "Red Hat EAP-XP 2.0.0 via EAP 7.3.x base", "release_date": "2021-09-13T00:00:00Z"}, {"advisory": "RHSA-2021:5134", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "jakarta.el", "product_name": "Red Hat Fuse 7.10", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-glassfish-el-0:3.0.1-4.b08_redhat_00005.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-hibernate-0:5.1.17-3.Final_redhat_00004.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-jackson-databind-0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-jboss-ejb-client-0:4.0.12-1.Final_redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-netty-0:4.1.63-2.Final_redhat_00003.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-undertow-0:1.4.18-16.SP14_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-0:7.1.11-4.GA_redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-elytron-0:1.1.14-1.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-http-client-0:1.0.21-1.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-naming-client-0:1.0.13-1.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-openssl-linux-0:1.0.12-6.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3466", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3468", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHSA-2021:3658", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2021-09-23T00:00:00Z"}, {"advisory": "RHSA-2021:3656", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2021-09-23T00:00:00Z"}, {"advisory": "RHSA-2021:3534", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "package": "jakarta.el", "product_name": "Red Hat Single Sign-On 7.4.9", "release_date": "2021-09-14T00:00:00Z"}, {"advisory": "RHSA-2022:1029", "cpe": "cpe:/a:redhat:integration:1", "package": "jakarta.el", "product_name": "RHINT Camel-K 1.6.4", "release_date": "2022-03-23T00:00:00Z"}, {"advisory": "RHSA-2022:1013", "cpe": "cpe:/a:redhat:camel_quarkus:2.2.1", "package": "jakarta.el", "product_name": "RHINT Camel-Q 2.2.1", "release_date": "2022-03-22T00:00:00Z"}], "bugzilla": {"description": "jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate", "id": "1965497", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1965497"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid."], "name": "CVE-2021-28170", "package_state": [{"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "jakarta.el", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "jakarta.el", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "jakarta-el", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "jakarta.el", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "jakarta.el", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "jakarta.el", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "jakarta.el", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "jakarta.el", "product_name": "Red Hat Process Automation 7"}], "public_date": "2021-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-28170\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-28170\nhttps://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object