CVE-2021-28170
Description
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.sun.el:el-riMaven | < 3.0.4 | 3.0.4 |
org.glassfish:jakarta.elMaven | < 3.0.4 | 3.0.4 |
org.glassfish:javax.elMaven | <= 3.0.1-b12 | — |
Affected products
4- ghsa-coords3 versions
< 3.0.4+ 2 more
- (no CPE)range: < 3.0.4
- (no CPE)range: < 3.0.4
- (no CPE)range: <= 3.0.1-b12
- Range: unspecified
Patches
Vulnerability mechanics
Root cause
"The ELParserTokenManager fails to properly validate and tokenize escaped expression delimiters, allowing invalid EL expressions to be evaluated as valid."
Attack vector
An attacker can supply an invalid EL expression that is not properly tokenized by the `ELParserTokenManager`, causing it to be evaluated as if it were valid. This is an expression language injection [CWE-917] where special delimiter characters (`$` and `#`) are not correctly neutralized. The attack vector is input-driven — any component that passes user-controlled strings into an EL evaluation context is potentially exploitable.
Affected code
The bug resides in the `ELParserTokenManager` of the Jakarta Expression Language implementation (version 3.0.3 and earlier). The patch adds a new test class `EscalingTest` in the `org.glassfish.el.test` package that validates correct handling of escaped expression delimiters like `$${...}` and `$\#{...}`.
What the fix does
The patch introduces a test suite (`EscapingTest`) that verifies correct handling of escaped expression delimiters. For example, `$${1+1}` should evaluate to the literal string `$2` (the outer `$` is literal, the inner `${1+1}` is evaluated), and `$\${1+1}` should produce the literal `$${1+1}`. These tests confirm that the `ELParserTokenManager` now properly distinguishes escaped delimiters from actual expression start markers, closing the injection vector.
Preconditions
- inputThe application must evaluate user-controlled strings as EL expressions without prior sanitization.
- configThe vulnerable EL implementation version must be 3.0.3 or earlier.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-v6w3-2prq-h95fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-28170ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2020-021-jakarta-elghsaADVISORY
- github.com/eclipse-ee4j/el-ri/issues/155ghsax_refsource_CONFIRMWEB
- github.com/eclipse-ee4j/el-ri/pull/160/commits/b6a3943ac5fba71cbc6719f092e319caa747855bghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGGLASSFISH-1297098ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGGLASSFISH-2841368ghsaWEB
- securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.