CVE-2021-21479
Description
SCIMono before 0.0.19 allows Java expression injection via validation messages, leading to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SCIMono before 0.0.19 allows Java expression injection via validation messages, leading to remote code execution.
Vulnerability
Details
SCIMono, a Java implementation of the SCIM (System for Cross-domain Identity Management) protocol, is vulnerable to Java Expression Language (EL) injection in versions prior to 0.0.19. The root cause lies in the ValidationUtil.interpolateErrorMessage method, which directly passes user-controlled error messages to ConstraintValidatorContext.buildConstraintViolationWithTemplate without sanitization [2]. This allows an attacker to inject arbitrary EL expressions that are evaluated by the Java runtime.
Exploitation
An attacker can exploit this vulnerability by sending a crafted SCIM request that triggers a validation error, embedding a malicious EL expression in the input. The expression is then interpolated and executed by the server. No authentication is required if the SCIM endpoint is exposed, making the attack surface broad [2]. The commit that fixes the issue introduces escaping of special EL characters ($, {, }) to prevent injection [3].
Impact
Successful exploitation enables remote code execution (RCE) with the privileges of the SCIMono server process. This compromises both the availability and integrity of the system, potentially allowing an attacker to read, modify, or delete data, or disrupt service [1][2].
Mitigation
The vulnerability is fixed in SCIMono version 0.0.19, available on Maven Central [4]. Users are strongly advised to upgrade immediately. No workarounds are documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.sap.scimono:scimono-serverMaven | < 0.0.19 | 0.0.19 |
Affected products
2- SAP SE/SCIMonov5Range: < 0.0.19
Patches
1413b5d75fa94Escape Java EL in validation message before interpolation (#117)
1 file changed · +8 −1
scimono-server/src/main/java/com/sap/scimono/entity/schema/validation/ValidationUtil.java+8 −1 modified@@ -1,13 +1,20 @@ package com.sap.scimono.entity.schema.validation; +import java.util.regex.Pattern; + import javax.validation.ConstraintValidatorContext; class ValidationUtil { + private static final Pattern EXPRESSION_LANGUAGE_CHARACTERS = Pattern.compile("([${}])"); public static void interpolateErrorMessage(ConstraintValidatorContext context, String errorMessage) { context.disableDefaultConstraintViolation(); - context.buildConstraintViolationWithTemplate(errorMessage).addConstraintViolation(); + context.buildConstraintViolationWithTemplate(escapeExpressionLanguage(errorMessage)).addConstraintViolation(); + } + + private static String escapeExpressionLanguage(String text) { + return EXPRESSION_LANGUAGE_CHARACTERS.matcher(text).replaceAll( "\\\\$1" ); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-29q4-gxjq-rx5cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21479ghsaADVISORY
- github.com/SAP/scimono/commit/413b5d75fa94e77876af0e47be76475a23745b80ghsaWEB
- github.com/SAP/scimono/security/advisories/GHSA-29q4-gxjq-rx5cghsax_refsource_CONFIRMWEB
- mvnrepository.com/artifact/com.sap.scimono/scimono-server/0.0.19ghsaWEB
News mentions
0No linked articles in our index yet.