CVE-2021-28170 in WebLogic Server
Summary
by MITRE • 05/27/2021
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2025
The vulnerability identified as CVE-2021-28170 resides within the Jakarta Expression Language implementation version 3.0.3 and earlier, representing a critical parsing flaw that fundamentally undermines the security assurances of expression evaluation. This issue specifically targets the ELParserTokenManager component responsible for tokenizing and parsing expression language constructs within the Jakarta EE ecosystem. The flaw allows maliciously crafted invalid expressions to bypass normal validation mechanisms and execute as legitimate expressions, creating a significant attack surface that could be exploited by adversaries seeking to manipulate application behavior through crafted input.
The technical implementation of this vulnerability stems from inadequate input validation within the token management layer of the expression language parser. When the ELParserTokenManager processes incoming expressions, it fails to properly validate the syntax and structure of tokens, particularly in edge cases involving malformed expressions. This parsing deficiency enables attackers to craft expressions that contain invalid syntax patterns which, due to the flawed validation logic, are incorrectly interpreted and executed by the parser. The vulnerability manifests as a bypass of normal expression language security controls, where the parser accepts malformed constructs that should be rejected during the tokenization phase. This issue falls under the CWE-252 category of "Unchecked Return Value" and represents a classic example of insufficient validation in input processing mechanisms.
The operational impact of this vulnerability extends beyond simple expression evaluation, as it can enable a wide range of malicious activities including arbitrary code execution, data exfiltration, and privilege escalation within applications that rely on Jakarta Expression Language for dynamic content processing. Applications utilizing this vulnerable implementation may become susceptible to injection attacks where attackers can manipulate expression language constructs to access unauthorized resources, execute unintended operations, or bypass authentication mechanisms. The vulnerability particularly affects web applications that process user-supplied input through Jakarta Expression Language, making it a significant concern for enterprise applications that depend on this technology for dynamic expression evaluation and template processing.
Organizations should immediately implement mitigations including upgrading to Jakarta Expression Language version 3.0.4 or later, which contains the necessary patches to address the parsing validation issues. Additionally, application developers should conduct comprehensive code reviews to identify any custom implementations that might be vulnerable, while implementing strict input validation and sanitization measures before any expression language processing occurs. Security teams should monitor for potential exploitation attempts through log analysis and implement network-based intrusion detection systems to identify suspicious expression language usage patterns. The vulnerability demonstrates the critical importance of proper input validation in language parsers and highlights the need for robust security testing of expression evaluation systems to prevent similar issues in other components of the Jakarta EE platform. This vulnerability aligns with ATT&CK technique T1059.007 for Unix shell command execution and T1211 for exploitation of remote services, emphasizing the need for comprehensive security measures across application layers.