Weakness ID: 917 Vulnerability Mapping: ALLOWED Description: - The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. Common Consequences: - Impact: - Scope: Confidentiality - Scope: Integrity Potential Mitigations: - Architecture and Design: Avoid adding user-controlled data into an expression interpreter when possible. - Implementation: - Validate that the user input will not evaluate as an expression. - Encode the user input in a way that ensures it is not evaluated as an expression. - System Configuration; Operation: The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true". Modes of Introduction: - Phase: Architecture and Design, Implementation - Note: Java (Undetermined Prevalence) Applicable Platforms: Java Selected Observed Examples: CVE-2021-44228 - Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability in log4j) Weakness Ordinalities: Primary - (where the weakness exists independent of other weaknesses) Detection Methods: - Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.). Effectiveness: High Maintenance: The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.