Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CWE-917 (表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)) — Vulnerability Class 35

35 vulnerabilities classified as CWE-917 (表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)). AI Chinese analysis included.

CWE-917 represents a critical input validation weakness where software constructs expression language statements, such as those in Java Server Pages, using untrusted external input without proper sanitization. Attackers typically exploit this vulnerability by injecting malicious code snippets into user-controlled fields, allowing them to manipulate the intended logic of the expression language. This injection can lead to severe consequences, including remote code execution, data theft, or unauthorized system access, as the application executes the attacker’s modified commands instead of the original developer intent. To prevent this, developers must strictly validate and neutralize all special elements within expression language statements before execution. Implementing allow-lists for acceptable inputs, utilizing parameterized expressions where possible, and employing robust input filtering mechanisms are essential strategies to ensure that external data cannot alter the structural integrity of the expression language, thereby mitigating the risk of injection attacks.

MITRE CWE Description
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. Frameworks such as Java Server Page (JSP) allow a developer to insert executable expressions within otherwise-static content. When the developer is not aware of the executable nature of these expressions and/or does not disable them, then if an attacker can inject expressions, this could lead to code execution or other unexpected behaviors.
Common Consequences (2)
ConfidentialityRead Application Data
IntegrityExecute Unauthorized Code or Commands
Mitigations (3)
Architecture and DesignAvoid adding user-controlled data into an expression interpreter when possible.
ImplementationIf user-controlled data must be added to an expression interpreter, one or more of the following should be performed: Validate that the user input will not evaluate as an expression Encode the user input in a way that ensures it is not evaluated as an expression
System Configuration, OperationThe framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".
CVE IDTitleCVSSSeverityPublished
CVE-2023-32200 Apache Jena: Exposure of execution in script engine expressions. — Apache Jena 4.6 -2023-07-12
CVE-2023-22665 Apache Jena: Exposure of arbitrary execution in script engine expressions. — Apache Jena 6.1 -2023-04-25
CVE-2022-23463 SpEL Injection in Nepxion Discovery — Discover 9.4 Critical2022-09-24
CVE-2021-31805 Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE. — Apache Struts 9.8 -2022-04-12
CVE-2021-45046 Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack — Apache Log4j 9.0 -2021-12-14

Vulnerabilities classified as CWE-917 (表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)) represent 35 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.