CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

 
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Weakness ID: 917 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
+ Alternate Terms
EL Injection
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

Java

+ Common Consequences
ScopeEffect
Confidentiality

Technical Impact: Read application data

Integrity

Technical Impact: Execute unauthorized code or commands

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class77Improper Neutralization of Special Elements used in a Command ('Command Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
+ Relationship Notes

In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.

+ References
Stefano Di Paola and Arshan Dabirsiaghi. "Expression Language Injection". <http://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf>.
Dan Amodio. "Remote Code with Expression Language Injection". 2012-12-14. <http://danamodio.com/application-security/discoveries/spring-remote-code-with-expression-language-injection/>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2013-02-15MITREInternal CWE Team
Contributions
Contribution DateContributorOrganizationSource
2013-02-15Dan Amodio, Dave WichersAspect SecurityFeedback
Suggested adding this weakness and provided references.
Page Last Updated: July 30, 2014