Common Weakness Enumeration

CWE-917

Allowed

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Abstraction: Base · Status: Incomplete

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

170 vulnerabilities reference this CWE, most recent first.

GHSA-H2FJ-JG64-M3P4

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

A operatorgrouptreeselectcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7166"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-19T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A operatorgrouptreeselectcontent expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
  "id": "GHSA-h2fj-jg64-m3p4",
  "modified": "2022-05-24T17:31:17Z",
  "published": "2022-05-24T17:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7166"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H6M7-J4H3-9RF5

Vulnerability from github – Published: 2020-08-19 19:52 – Updated: 2021-11-19 15:36
VLAI
Summary
Remote Code Execution in SyliusResourceBundle
Details

Impact

Request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.

The vulnerable versions include: <=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3.

Example

sylius_grid:
    grids:
        foo:
            fields:
                bar:
                    options:
                        baz: "expr:service('sylius.repository.product').find($id)"

In this case, $id can be prepared in a way that calls other services.

If you visit /route?id="~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~", it will result in a following expression expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~""), which will execute a query on the currently connected database.

To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.

Patches

This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

Workarounds

The fix requires adding addslashes in OptionsParser::parseOptionExpression to sanitize user input before evaluating it using the expression language.

- return is_string($variable) ? sprintf('"%s"', $variable) : $variable;
+ return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable;

Acknowledgements

This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!

For more information

If you have any questions or comments about this advisory: * Email us at security@sylius.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.3.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-19T19:50:49Z",
    "nvd_published_at": "2020-08-20T01:17:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nRequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.\n\nThe vulnerable versions include: `\u003c=1.3.13 || \u003e=1.4.0 \u003c=1.4.6 || \u003e=1.5.0 \u003c=1.5.1 || \u003e=1.6.0 \u003c=1.6.3`.\n\n### Example\n\n```yaml\nsylius_grid:\n    grids:\n        foo:\n            fields:\n                bar:\n                    options:\n                        baz: \"expr:service(\u0027sylius.repository.product\u0027).find($id)\"\n```\n\nIn this case, `$id` can be prepared in a way that calls other services. \n\nIf you visit `/route?id=\"~service(\u0027doctrine\u0027).getManager().getConnection().executeQuery(\"DELETE * FROM TABLE\")~\"`, it will result in a following expression `expr:service(\u0027repository\u0027).find(\"\"~service(\u0027doctrine\u0027).getManager().getConnection().executeQuery(\"DELETE * FROM TABLE\")~\"\")`, which will execute a query on the currently connected database.\n\nTo find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.\n\n### Patches\n\nThis issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.\n\n### Workarounds\n\nThe fix requires adding `addslashes` in `OptionsParser::parseOptionExpression` to sanitize user input before evaluating it using the expression language.\n\n```php\n- return is_string($variable) ? sprintf(\u0027\"%s\"\u0027, $variable) : $variable;\n+ return is_string($variable) ? sprintf(\u0027\"%s\"\u0027, addslashes($variable)) : $variable;\n```\n\n### Acknowledgements\n\nThis security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Email us at [security@sylius.com](mailto:security@sylius.com)",
  "id": "GHSA-h6m7-j4h3-9rf5",
  "modified": "2021-11-19T15:36:47Z",
  "published": "2020-08-19T19:52:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-h6m7-j4h3-9rf5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15146"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/SyliusResourceBundle/commit/73d9aba182947473a5935b31caf65ca263091e00"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-15146.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/SyliusResourceBundle"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote Code Execution in SyliusResourceBundle"
}

GHSA-HFQV-QM4H-QGQV

Vulnerability from github – Published: 2024-12-20 15:30 – Updated: 2024-12-20 15:30
VLAI
Details

IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and

12.0.0 through 12.0.4

is vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-51466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-20T14:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and \n\n12.0.0 through 12.0.4\n\nis vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement.",
  "id": "GHSA-hfqv-qm4h-qgqv",
  "modified": "2024-12-20T15:30:48Z",
  "published": "2024-12-20T15:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51466"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7179496"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJP9-GQ92-XJR3

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

A deviceselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-19T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A deviceselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
  "id": "GHSA-hjp9-gq92-xjr3",
  "modified": "2022-05-24T17:31:20Z",
  "published": "2022-05-24T17:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7190"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HQXH-R866-2RGJ

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

A reportpage index expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-19T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A reportpage index expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
  "id": "GHSA-hqxh-r866-2rgj",
  "modified": "2022-05-24T17:31:20Z",
  "published": "2022-05-24T17:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7187"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J388-8RM5-P97F

Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31
VLAI
Details

Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation.

Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41729"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-10T00:16:52Z",
    "severity": "HIGH"
  },
  "details": "Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation.\n\nAffected versions:\nSpring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.",
  "id": "GHSA-j388-8rm5-p97f",
  "modified": "2026-06-10T00:31:52Z",
  "published": "2026-06-10T00:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41729"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-41729"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J7QM-W3QX-8F3F

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

A chooseperfview expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-19T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A chooseperfview expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
  "id": "GHSA-j7qm-w3qx-8f3f",
  "modified": "2022-05-24T17:31:15Z",
  "published": "2022-05-24T17:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7145"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J927-W6G7-7C7W

Vulnerability from github – Published: 2023-07-12 09:30 – Updated: 2023-07-20 14:57
VLAI
Summary
Apache Jena Expression Language Injection vulnerability
Details

There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena from 3.7.0 through 4.8.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.jena:jena"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "4.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-12T17:29:39Z",
    "nvd_published_at": "2023-07-12T08:15:10Z",
    "severity": "HIGH"
  },
  "details": "There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena from 3.7.0 through 4.8.0.\n\n",
  "id": "GHSA-j927-w6g7-7c7w",
  "modified": "2023-07-20T14:57:59Z",
  "published": "2023-07-12T09:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32200"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/jena"
    },
    {
      "type": "WEB",
      "url": "https://jena.apache.org/about_jena/security-advisories.html#cve-2023-32200---exposure-of-execution-in-script-engine-expressions"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22665"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Jena Expression Language Injection vulnerability"
}

GHSA-JC35-Q369-45PV

Vulnerability from github – Published: 2022-02-09 22:51 – Updated: 2025-10-22 17:57
VLAI
Summary
Remote code execution in Apache Struts
Details

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.5.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-17530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-09T21:42:05Z",
    "nvd_published_at": "2020-12-11T02:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.",
  "id": "GHSA-jc35-q369-45pv",
  "modified": "2025-10-22T17:57:43Z",
  "published": "2022-02-09T22:51:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17530"
    },
    {
      "type": "WEB",
      "url": "https://cwiki.apache.org/confluence/display/WW/S2-061"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/struts"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210115-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN43969166/index.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/04/12/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote code execution in Apache Struts"
}

GHSA-JFH8-C2JP-5V3Q

Vulnerability from github – Published: 2021-12-10 00:40 – Updated: 2025-10-22 19:13
VLAI
Summary
Remote code injection in Log4j
Details

Summary

Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per Apache's Log4j security guide: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default.

Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the Updated advice for version 2.16.0 section of this advisory.

Impact

Logging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input.

Affected versions

Any Log4J version prior to v2.15.0 is affected to this specific issue.

The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.16.0 where possible.

Security releases

Additional backports of this fix have been made available in versions 2.3.1, 2.12.2, and 2.12.3

Affected packages

Only the org.apache.logging.log4j:log4j-core package is directly affected by this vulnerability. The org.apache.logging.log4j:log4j-api should be kept at the same version as the org.apache.logging.log4j:log4j-core package to ensure compatability if in use.

Remediation Advice

Updated advice for version 2.16.0

The Apache Logging Services team provided updated mitigation advice upon the release of version 2.16.0, which disables JNDI by default and completely removes support for message lookups. Even in version 2.15.0, lookups used in layouts to provide specific pieces of context information will still recursively resolve, possibly triggering JNDI lookups. This problem is being tracked as CVE-2021-45046. More information is available on the GitHub Security Advisory for CVE-2021-45046.

Users who want to avoid attacker-controlled JNDI lookups but cannot upgrade to 2.16.0 must ensure that no such lookups resolve to attacker-provided data and ensure that the the JndiLookup class is not loaded.

Please note that Log4J v1 is End Of Life (EOL) and will not receive patches for this issue. Log4J v1 is also vulnerable to other RCE vectors and we recommend you migrate to Log4J 2.16.0 where possible.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.logging.log4j:log4j-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.13.0"
            },
            {
              "fixed": "2.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.logging.log4j:log4j-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0-beta9"
            },
            {
              "fixed": "2.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.logging.log4j:log4j-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4"
            },
            {
              "fixed": "2.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.guicedee.services:log4j-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.1.2-jre17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xbib.elasticsearch:log4j"
      },
      "versions": [
        "6.3.2.1"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "uk.co.nichesolutions.logging.log4j:log4j-core"
      },
      "versions": [
        "2.6.3-CUSTOM"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.ops4j.pax.logging:pax-logging-log4j2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8.0"
            },
            {
              "fixed": "1.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.ops4j.pax.logging:pax-logging-log4j2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.10.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.ops4j.pax.logging:pax-logging-log4j2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0"
            },
            {
              "fixed": "1.11.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.ops4j.pax.logging:pax-logging-log4j2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-44228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-400",
      "CWE-502",
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-10T00:40:41Z",
    "nvd_published_at": "2021-12-10T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "# Summary\n\nLog4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.\nAs per [Apache\u0027s Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 \u003c=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default.\n\nLog4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory.\n\n# Impact\n\nLogging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input. \n\n# Affected versions\n\nAny Log4J version prior to v2.15.0 is affected to this specific issue.\n\nThe v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.16.0 where possible.\n\n## Security releases\nAdditional backports of this fix have been made available in versions 2.3.1, 2.12.2, and 2.12.3\n\n## Affected packages\nOnly the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.\n\n# Remediation Advice\n\n## Updated advice for version 2.16.0\n\nThe Apache Logging Services team provided updated mitigation advice upon the release of version 2.16.0, which [disables JNDI by default and completely removes support for message lookups](https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0).\nEven in version 2.15.0, lookups used in layouts to provide specific pieces of context information will still recursively resolve, possibly triggering JNDI lookups. This problem is being tracked as [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046). More information is available on the [GitHub Security Advisory for CVE-2021-45046](https://github.com/advisories/GHSA-7rjr-3q55-vv33).\n\nUsers who want to avoid attacker-controlled JNDI lookups but cannot upgrade to 2.16.0 must [ensure that no such lookups resolve to attacker-provided data and ensure that the the JndiLookup class is not loaded](https://issues.apache.org/jira/browse/LOG4J2-3221).\n\nPlease note that Log4J v1 is End Of Life (EOL) and will not receive patches for this issue. Log4J v1 is also vulnerable to other RCE vectors and we recommend you migrate to Log4J 2.16.0 where possible.",
  "id": "GHSA-jfh8-c2jp-5v3q",
  "modified": "2025-10-22T19:13:24Z",
  "published": "2021-12-10T00:40:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/logging-log4j2/pull/608"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/5501"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2022/Dec/2"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2022/Jul/11"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2022/Mar/23"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20211210-0007"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213189"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/kurtseifried/status/1469345530182455296"
    },
    {
      "type": "WEB",
      "url": "https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44228"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-5020"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/930724"
    },
    {
      "type": "WEB",
      "url": "https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-7rjr-3q55-vv33"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/logging-log4j2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/log4j-affected-db"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tangxiaofeng7/apache-log4j-poc"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/LOG4J2-3198"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/LOG4J2-3201"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/LOG4J2-3214"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/LOG4J2-3221"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/log4j/2.x/manual/migration.html"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/log4j/2.x/security.html"
    },
    {
      "type": "WEB",
      "url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/2"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Jul/11"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Mar/23"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/12/10/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/12/10/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/12/10/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/12/13/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/12/13/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote code injection in Log4j"
}

Mitigation
Architecture and Design

Avoid adding user-controlled data into an expression interpreter when possible.

Mitigation
Implementation
  • If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:
  • Validate that the user input will not evaluate as an expression
  • Encode the user input in a way that ensures it is not evaluated as an expression
Mitigation
System Configuration Operation

The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".

No CAPEC attack patterns related to this CWE.