CVE-2021-41862

Vulnerability

AviatorScript versions through 5.2.7 allow code execution via an expression that is encoded with the Byte Code Engineering Library (BCEL) [1][2]. The engine permits instantiation of arbitrary Java objects within expressions, although it restricts calls to non-public static methods. By using a BCEL-encoded class, an attacker can bypass this restriction and load a malicious class with a public static exec method [2].

Exploitation

To exploit, an attacker prepares a malicious .class file containing a public static method (e.g., exec) that executes arbitrary OS commands. This class is then encoded using com.sun.org.apache.bcel.internal.classfile.Utility.encode(). The resulting BCEL-encoded string is injected into an AviatorScript expression executed via the evaluator.execute() method [2]. No authentication is required if the application exposes script evaluation to untrusted users. The attacker must have the ability to supply or influence the expression string processed by the engine.

Impact

Successful exploitation allows an attacker to execute arbitrary system commands on the host JVM, leading to full remote code execution (RCE) with the privileges of the application process. This compromises the confidentiality, integrity, and availability of the affected system [1][3].

Mitigation

Upgrade to AviatorScript version 5.3.0 or later, which includes security improvements to limit class loading and restrict dangerous operations [1][2]. If upgrading is not immediately possible, avoid evaluating user-supplied expressions or apply strict input validation. No workaround is provided in the available references.