CWE-917
AllowedImproper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Abstraction: Base · Status: Incomplete
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
170 vulnerabilities reference this CWE, most recent first.
GHSA-3RJG-J22M-WRV3
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A mediaforaction expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7178"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "HIGH"
},
"details": "A mediaforaction expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-3rjg-j22m-wrv3",
"modified": "2022-05-24T17:31:18Z",
"published": "2022-05-24T17:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7178"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3V3F-5FGF-VHM9
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A selectusergroup expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7168"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A selectusergroup expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-3v3f-5fgf-vhm9",
"modified": "2022-05-24T17:31:18Z",
"published": "2022-05-24T17:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7168"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3WGQ-7P7Q-X7PG
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A iccselectdevtype expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7153"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A iccselectdevtype expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-3wgq-7p7q-x7pg",
"modified": "2022-05-24T17:31:16Z",
"published": "2022-05-24T17:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7153"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4C4W-C9RX-M633
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A reporttaskselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7161"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A reporttaskselect expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-4c4w-c9rx-m633",
"modified": "2022-05-24T17:31:17Z",
"published": "2022-05-24T17:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7161"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4J38-WJHF-884R
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-11-08 13:07JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.richfaces:richfaces-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"last_affected": "3.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-12533"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-08T13:07:51Z",
"nvd_published_at": "2018-06-18T12:29:00Z",
"severity": "CRITICAL"
},
"details": "JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.",
"id": "GHSA-4j38-wjhf-884r",
"modified": "2022-11-08T13:07:51Z",
"published": "2022-05-13T01:19:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12533"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2663"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2664"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2930"
},
{
"type": "WEB",
"url": "https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Mar/21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary code execution in Richfaces"
}
GHSA-4PM3-F52J-8GGH
Vulnerability from github – Published: 2022-04-22 20:39 – Updated: 2022-04-22 20:39Impact
The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API.
Patches
The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 2.19.6.
Workarounds
Protection can be achieved by making the GUI (geoserver/web), the REST configuration (geoserver/rest) and the embedded GeoWebCache configuration (geoserver/gwc/rest) unreachable from remote hosts, in addition to protecting access to the file system where the GeoServer configuration is stored.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.geoserver:gs-main"
},
"ranges": [
{
"events": [
{
"introduced": "2.20.0"
},
{
"fixed": "2.20.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geoserver:gs-main"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.19.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24847"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-22T20:39:10Z",
"nvd_published_at": "2022-04-13T22:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism.\nIn order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API.\n\n### Patches\nThe lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 2.19.6.\n\n### Workarounds\nProtection can be achieved by making the GUI (``geoserver/web``), the REST configuration (``geoserver/rest``) and the embedded GeoWebCache configuration (``geoserver/gwc/rest``) unreachable from remote hosts, in addition to protecting access to the file system where the GeoServer configuration is stored.\n\n\n",
"id": "GHSA-4pm3-f52j-8ggh",
"modified": "2022-04-22T20:39:10Z",
"published": "2022-04-22T20:39:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-4pm3-f52j-8ggh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24847"
},
{
"type": "WEB",
"url": "https://github.com/geoserver/geoserver/commit/b94a69943992df999d627b21a4ed056fad4569f8"
},
{
"type": "PACKAGE",
"url": "https://github.com/geoserver/geoserver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Input Validation in GeoServer"
}
GHSA-53VH-CCQ9-XWQ5
Vulnerability from github – Published: 2026-05-18 15:30 – Updated: 2026-05-19 15:31Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrary operating system commands.
{
"affected": [],
"aliases": [
"CVE-2026-26462"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-18T15:16:25Z",
"severity": "HIGH"
},
"details": "Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrary operating system commands.",
"id": "GHSA-53vh-ccq9-xwq5",
"modified": "2026-05-19T15:31:22Z",
"published": "2026-05-18T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26462"
},
{
"type": "WEB",
"url": "https://medium.com/@husaainpalh/remote-code-execution-in-offline-hospital-management-system-cve-2026-26462-bc7ac54314c4"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/hospital-management-system/files"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-53WQ-QQ5X-8G7X
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A viewtaskresultdetailfact expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-7176"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "HIGH"
},
"details": "A viewtaskresultdetailfact expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-53wq-qq5x-8g7x",
"modified": "2022-05-24T17:31:18Z",
"published": "2022-05-24T17:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7176"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-564R-HJ7V-MCR5
Vulnerability from github – Published: 2023-03-23 21:30 – Updated: 2024-03-14 20:51In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-expression"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-expression"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.3.26"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-expression"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.23.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-20861"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-23T23:10:59Z",
"nvd_published_at": "2023-03-23T21:15:00Z",
"severity": "MODERATE"
},
"details": "In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.",
"id": "GHSA-564r-hj7v-mcr5",
"modified": "2024-03-14T20:51:28Z",
"published": "2023-03-23T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-framework"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230420-0007"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2023-20861"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Spring Framework vulnerable to denial of service via specially crafted SpEL expression"
}
GHSA-5C37-W4H4-HJ3V
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A legend expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
{
"affected": [],
"aliases": [
"CVE-2020-24650"
],
"database_specific": {
"cwe_ids": [
"CWE-917"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A legend expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
"id": "GHSA-5c37-w4h4-hj3v",
"modified": "2022-05-24T17:31:14Z",
"published": "2022-05-24T17:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24650"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Avoid adding user-controlled data into an expression interpreter when possible.
Mitigation
- If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:
- Validate that the user input will not evaluate as an expression
- Encode the user input in a way that ensures it is not evaluated as an expression
Mitigation
The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".
No CAPEC attack patterns related to this CWE.