CVE ID(s)
Report
Java Expression Language (JEXL) is a simple expression language provided by the [Apache Commons JEXL(https://github.com/apache/commons-jexl) library. If a JEXL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code (CWE-094). Here are several examples of JEXL injections:
I wrote a new experimental query that looks for potential JEXL injections:
github/codeql#4965
- The query covers both JEXL 2 and 3 versions (there are differences in the APIs).
- The query covers both JEXL expressions and scripts.
- Added a qhelp file and an example of vulnerable code.
- Added tests.
I am planning to write a post about detecting EL injections with CodeQL.
I also wrote a blog post about detecting JEXL injections with CodeQL.
Result(s)
- RCE in Traccar: This is an RCE in one of the REST endpoints.
- CVE-2021-3396: RCE in OpenNMS/newts, security advisory.
Also, the query detected a dataflow path in a command-line tool offered by commons-jexl. This result is not very interesting since the tool is only for testing/development purposes.
CVE ID(s)
Report
Java Expression Language (JEXL) is a simple expression language provided by the [Apache Commons JEXL(https://github.com/apache/commons-jexl) library. If a JEXL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code (CWE-094). Here are several examples of JEXL injections:
I wrote a new experimental query that looks for potential JEXL injections:
github/codeql#4965
I am planning to write a post about detecting EL injections with CodeQL.I also wrote a blog post about detecting JEXL injections with CodeQL.
Result(s)
Also, the query detected a dataflow path in a command-line tool offered by commons-jexl. This result is not very interesting since the tool is only for testing/development purposes.