CWE-917
AllowedImproper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Abstraction: Base · Status: Incomplete
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
170 vulnerabilities reference this CWE, most recent first.
GHSA-H2FJ-JG64-M3P4
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A operatorgrouptreeselectcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7166"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A operatorgrouptreeselectcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-h2fj-jg64-m3p4",
"modified": "2022-05-24T17:31:17Z",
"published": "2022-05-24T17:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7166"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H6M7-J4H3-9RF5
Vulnerability from github – Published: 2020-08-19 19:52 – Updated: 2021-11-19 15:36Impact
Request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.
The vulnerable versions include: <=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3.
Example
sylius_grid:
grids:
foo:
fields:
bar:
options:
baz: "expr:service('sylius.repository.product').find($id)"
In this case, $id can be prepared in a way that calls other services.
If you visit /route?id="~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~", it will result in a following expression expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~""), which will execute a query on the currently connected database.
To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.
Patches
This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.
Workarounds
The fix requires adding addslashes in OptionsParser::parseOptionExpression to sanitize user input before evaluating it using the expression language.
- return is_string($variable) ? sprintf('"%s"', $variable) : $variable;
+ return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable;
Acknowledgements
This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!
For more information
If you have any questions or comments about this advisory: * Email us at security@sylius.com
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/resource-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/resource-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/resource-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0"
},
{
"fixed": "1.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/resource-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.3.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15146"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-19T19:50:49Z",
"nvd_published_at": "2020-08-20T01:17:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nRequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.\n\nThe vulnerable versions include: `\u003c=1.3.13 || \u003e=1.4.0 \u003c=1.4.6 || \u003e=1.5.0 \u003c=1.5.1 || \u003e=1.6.0 \u003c=1.6.3`.\n\n### Example\n\n```yaml\nsylius_grid:\n grids:\n foo:\n fields:\n bar:\n options:\n baz: \"expr:service(\u0027sylius.repository.product\u0027).find($id)\"\n```\n\nIn this case, `$id` can be prepared in a way that calls other services. \n\nIf you visit `/route?id=\"~service(\u0027doctrine\u0027).getManager().getConnection().executeQuery(\"DELETE * FROM TABLE\")~\"`, it will result in a following expression `expr:service(\u0027repository\u0027).find(\"\"~service(\u0027doctrine\u0027).getManager().getConnection().executeQuery(\"DELETE * FROM TABLE\")~\"\")`, which will execute a query on the currently connected database.\n\nTo find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.\n\n### Patches\n\nThis issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.\n\n### Workarounds\n\nThe fix requires adding `addslashes` in `OptionsParser::parseOptionExpression` to sanitize user input before evaluating it using the expression language.\n\n```php\n- return is_string($variable) ? sprintf(\u0027\"%s\"\u0027, $variable) : $variable;\n+ return is_string($variable) ? sprintf(\u0027\"%s\"\u0027, addslashes($variable)) : $variable;\n```\n\n### Acknowledgements\n\nThis security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Email us at [security@sylius.com](mailto:security@sylius.com)",
"id": "GHSA-h6m7-j4h3-9rf5",
"modified": "2021-11-19T15:36:47Z",
"published": "2020-08-19T19:52:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-h6m7-j4h3-9rf5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15146"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/SyliusResourceBundle/commit/73d9aba182947473a5935b31caf65ca263091e00"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-15146.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/SyliusResourceBundle"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Remote Code Execution in SyliusResourceBundle"
}
GHSA-HFQV-QM4H-QGQV
Vulnerability from github – Published: 2024-12-20 15:30 – Updated: 2024-12-20 15:30IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and
12.0.0 through 12.0.4
is vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement.
{
"affected": [],
"aliases": [
"CVE-2024-51466"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-20T14:15:24Z",
"severity": "CRITICAL"
},
"details": "IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and \n\n12.0.0 through 12.0.4\n\nis vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement.",
"id": "GHSA-hfqv-qm4h-qgqv",
"modified": "2024-12-20T15:30:48Z",
"published": "2024-12-20T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51466"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7179496"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJP9-GQ92-XJR3
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A deviceselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7190"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "HIGH"
},
"details": "A deviceselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-hjp9-gq92-xjr3",
"modified": "2022-05-24T17:31:20Z",
"published": "2022-05-24T17:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7190"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HQXH-R866-2RGJ
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A reportpage index expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7187"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "HIGH"
},
"details": "A reportpage index expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-hqxh-r866-2rgj",
"modified": "2022-05-24T17:31:20Z",
"published": "2022-05-24T17:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7187"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J388-8RM5-P97F
Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation.
Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
{
"affected": [],
"aliases": [
"CVE-2026-41729"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-10T00:16:52Z",
"severity": "HIGH"
},
"details": "Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation.\n\nAffected versions:\nSpring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.",
"id": "GHSA-j388-8rm5-p97f",
"modified": "2026-06-10T00:31:52Z",
"published": "2026-06-10T00:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41729"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-41729"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J7QM-W3QX-8F3F
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A chooseperfview expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7145"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A chooseperfview expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-j7qm-w3qx-8f3f",
"modified": "2022-05-24T17:31:15Z",
"published": "2022-05-24T17:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7145"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J927-W6G7-7C7W
Vulnerability from github – Published: 2023-07-12 09:30 – Updated: 2023-07-20 14:57There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena from 3.7.0 through 4.8.0.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.jena:jena"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"fixed": "4.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32200"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-12T17:29:39Z",
"nvd_published_at": "2023-07-12T08:15:10Z",
"severity": "HIGH"
},
"details": "There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena from 3.7.0 through 4.8.0.\n\n",
"id": "GHSA-j927-w6g7-7c7w",
"modified": "2023-07-20T14:57:59Z",
"published": "2023-07-12T09:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32200"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/jena"
},
{
"type": "WEB",
"url": "https://jena.apache.org/about_jena/security-advisories.html#cve-2023-32200---exposure-of-execution-in-script-engine-expressions"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22665"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Jena Expression Language Injection vulnerability"
}
GHSA-JC35-Q369-45PV
Vulnerability from github – Published: 2022-02-09 22:51 – Updated: 2025-10-22 17:57Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.struts:struts2-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.5.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-17530"
],
"database_specific": {
"cwe_ids": [
"CWE-917",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-09T21:42:05Z",
"nvd_published_at": "2020-12-11T02:15:00Z",
"severity": "CRITICAL"
},
"details": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.",
"id": "GHSA-jc35-q369-45pv",
"modified": "2025-10-22T17:57:43Z",
"published": "2022-02-09T22:51:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17530"
},
{
"type": "WEB",
"url": "https://cwiki.apache.org/confluence/display/WW/S2-061"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/struts"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210115-0005"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN43969166/index.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/04/12/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H",
"type": "CVSS_V3"
}
],
"summary": "Remote code execution in Apache Struts"
}
GHSA-JFH8-C2JP-5V3Q
Vulnerability from github – Published: 2021-12-10 00:40 – Updated: 2025-10-22 19:13Summary
Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per Apache's Log4j security guide: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default.
Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the Updated advice for version 2.16.0 section of this advisory.
Impact
Logging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input.
Affected versions
Any Log4J version prior to v2.15.0 is affected to this specific issue.
The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.16.0 where possible.
Security releases
Additional backports of this fix have been made available in versions 2.3.1, 2.12.2, and 2.12.3
Affected packages
Only the org.apache.logging.log4j:log4j-core package is directly affected by this vulnerability. The org.apache.logging.log4j:log4j-api should be kept at the same version as the org.apache.logging.log4j:log4j-core package to ensure compatability if in use.
Remediation Advice
Updated advice for version 2.16.0
The Apache Logging Services team provided updated mitigation advice upon the release of version 2.16.0, which disables JNDI by default and completely removes support for message lookups. Even in version 2.15.0, lookups used in layouts to provide specific pieces of context information will still recursively resolve, possibly triggering JNDI lookups. This problem is being tracked as CVE-2021-45046. More information is available on the GitHub Security Advisory for CVE-2021-45046.
Users who want to avoid attacker-controlled JNDI lookups but cannot upgrade to 2.16.0 must ensure that no such lookups resolve to attacker-provided data and ensure that the the JndiLookup class is not loaded.
Please note that Log4J v1 is End Of Life (EOL) and will not receive patches for this issue. Log4J v1 is also vulnerable to other RCE vectors and we recommend you migrate to Log4J 2.16.0 where possible.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.logging.log4j:log4j-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.13.0"
},
{
"fixed": "2.15.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.logging.log4j:log4j-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0-beta9"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.logging.log4j:log4j-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.4"
},
{
"fixed": "2.12.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.guicedee.services:log4j-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.1.2-jre17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xbib.elasticsearch:log4j"
},
"versions": [
"6.3.2.1"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "uk.co.nichesolutions.logging.log4j:log4j-core"
},
"versions": [
"2.6.3-CUSTOM"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.ops4j.pax.logging:pax-logging-log4j2"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.0"
},
{
"fixed": "1.9.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.ops4j.pax.logging:pax-logging-log4j2"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.ops4j.pax.logging:pax-logging-log4j2"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.ops4j.pax.logging:pax-logging-log4j2"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-44228"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-400",
"CWE-502",
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-10T00:40:41Z",
"nvd_published_at": "2021-12-10T10:15:00Z",
"severity": "CRITICAL"
},
"details": "# Summary\n\nLog4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.\nAs per [Apache\u0027s Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 \u003c=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default.\n\nLog4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory.\n\n# Impact\n\nLogging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input. \n\n# Affected versions\n\nAny Log4J version prior to v2.15.0 is affected to this specific issue.\n\nThe v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.16.0 where possible.\n\n## Security releases\nAdditional backports of this fix have been made available in versions 2.3.1, 2.12.2, and 2.12.3\n\n## Affected packages\nOnly the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.\n\n# Remediation Advice\n\n## Updated advice for version 2.16.0\n\nThe Apache Logging Services team provided updated mitigation advice upon the release of version 2.16.0, which [disables JNDI by default and completely removes support for message lookups](https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0).\nEven in version 2.15.0, lookups used in layouts to provide specific pieces of context information will still recursively resolve, possibly triggering JNDI lookups. This problem is being tracked as [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046). More information is available on the [GitHub Security Advisory for CVE-2021-45046](https://github.com/advisories/GHSA-7rjr-3q55-vv33).\n\nUsers who want to avoid attacker-controlled JNDI lookups but cannot upgrade to 2.16.0 must [ensure that no such lookups resolve to attacker-provided data and ensure that the the JndiLookup class is not loaded](https://issues.apache.org/jira/browse/LOG4J2-3221).\n\nPlease note that Log4J v1 is End Of Life (EOL) and will not receive patches for this issue. Log4J v1 is also vulnerable to other RCE vectors and we recommend you migrate to Log4J 2.16.0 where possible.",
"id": "GHSA-jfh8-c2jp-5v3q",
"modified": "2025-10-22T19:13:24Z",
"published": "2021-12-10T00:40:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
{
"type": "WEB",
"url": "https://github.com/apache/logging-log4j2/pull/608"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/pull/5501"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2022/Dec/2"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2022/Jul/11"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2022/Mar/23"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211210-0007"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213189"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"type": "WEB",
"url": "https://twitter.com/kurtseifried/status/1469345530182455296"
},
{
"type": "WEB",
"url": "https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44228"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5020"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/930724"
},
{
"type": "WEB",
"url": "https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-7rjr-3q55-vv33"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/logging-log4j2"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/log4j-affected-db"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md"
},
{
"type": "WEB",
"url": "https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228"
},
{
"type": "WEB",
"url": "https://github.com/tangxiaofeng7/apache-log4j-poc"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3198"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3201"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3214"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/LOG4J2-3221"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/manual/migration.html"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"type": "WEB",
"url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/2"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Jul/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Mar/23"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/10/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/13/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/13/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H",
"type": "CVSS_V3"
}
],
"summary": "Remote code injection in Log4j"
}
Mitigation
Avoid adding user-controlled data into an expression interpreter when possible.
Mitigation
- If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:
- Validate that the user input will not evaluate as an expression
- Encode the user input in a way that ensures it is not evaluated as an expression
Mitigation
The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".
No CAPEC attack patterns related to this CWE.