Описание
Remote Code Execution in com.bstek.uflo:uflo-core
All versions of the package com.bstek.uflo:uflo-core are vulnerable to Remote Code Execution (RCE) in the ExpressionContextImpl class via jexl.createExpression(expression).evaluate(context); functionality, due to improper user input validation.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-25894
- https://fmyyy1.github.io/2022/10/23/uflo2rce
- https://github.com/youseries/uflo/blob/b3e198bc6523e5a6ba69edd84ba10e05a3b78726/uflo-core/src/main/java/com/bstek/uflo/expr/impl/ExpressionContextImpl.java#L126
- https://security.snyk.io/vuln/SNYK-JAVA-COMBSTEKUFLO-3091112
Пакеты
Наименование
com.bstek.uflo:uflo-core
maven
Затронутые версииВерсия исправления
<= 2.1.5
Отсутствует
Связанные уязвимости
CVSS3: 9.8
nvd
около 3 лет назад
All versions of the package com.bstek.uflo:uflo-core are vulnerable to Remote Code Execution (RCE) in the ExpressionContextImpl class via jexl.createExpression(expression).evaluate(context); functionality, due to improper user input validation.