CVE: 2021-28170 found in Jakarta Expression Language Implementation - Version: 3.0.3 [JAVA]

[bnreplah]

Veracode Software Composition Analysis

Attribute	Details
Library	Jakarta Expression Language Implementation
Description	Jakarta Expression Language Implementation
Language	JAVA
Vulnerability	Insecure Token
Vulnerability description	jakarta.el is vulnerable to Insecure Token. The vulnerability exists due to a bug in the ELParserTokenManager which enables invalid EL expressions to be evaluated as if they were valid.
CVE	2021-28170
CVSS score	5
Vulnerability present in version/s	3.0.2-3.0.3
Found library version/s	3.0.3
Vulnerability fixed in version	3.0.4
Library latest version	5.0.0-M1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/2026670?version=3.0.3
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/33458
• Patch: jakartaee/expression-language@c76b9e6