CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement

Description

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Latest vulnerabilities for CWE-917

Expression language injection in IBM Storage Copy Data Management 2024-03-25
High Yes

Multiple vulnerabilities in IBM Storage Protect Plus Server 2024-03-22
High Yes

Improper neutralization of special elements used in an expression language statement in IBM Integration Bus 2023-12-14
Medium Yes

Multiple vulnerabilities in Autodesk InfraWorks 2023-04-26
Critical Yes

Multiple vulnerabilities in IBM Planning Analytics Workspace 2022-11-29
High Yes

Remote code execution in Spring Data MongoDB 2022-06-21
High Yes

References

Description of CWE-917 on Mitre website