GHSL-2020-021 - Bypass input sanitization of EL expressions #155
Comments
|
Hello, Br. |
|
Here is everything I know. This was reported to the Eclipse security team on 2020-04-14. The EL project lead was informed via being CC'd on the BugZilla issue on 2020-04-20. I don't know if the EL project lead received that email or whether it was lost in a spam filter etc. I haven't been able to identify any further activity at Eclipse since then. You need to be an Eclipse committer to access that issue but (AFAICT) there isn't any information there that isn't in the published report or this comment. I found out about this issue via $work a couple of days ago. As a Tomcat committer I wanted to check whether Tomcat was also vulnerable since the Jakarta EL implementation was originally forked from Tomcat. Tomcat was fixed in a commit some time ago. That fix may not apply directly to Jakarta EL as there have been other fixes to Tomcat's EL parsing grammar since the fork. The Tomcat fixes are available to the Jakarta EL project under the ALv2. The main focus of my time is Apache Tomcat. My work at Jakarta is on the specifications and the APIs. I simply don't have the time to maintain the Jakarta implementations as well. For folks that need an immediate fix, my recommendation would be to use a different implementation where the issue has been fixed / doesn't exist. The benefit of the Java EE / Jakarta EE specs is that you should be able to freely switch implementations. |
markt-asf
added
bug
Component: Impl
|
I've assigned CVE-2021-28170 and have pushed a report to the central authority. I will continue to monitor this issue and push updates to the report as requested by the project team. |
|
Proposed PR: #160 |
Github posted this publicly about 2-weeks ago - https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/
The text was updated successfully, but these errors were encountered: