CVE-2023-51079

Опубликовано: 27 дек. 2023

Источник: redhat

CVSS3: 5.3

EPSS Низкий

Описание

A long execution time can occur in the ParseTools.subCompileExpression method in MVEL 2.5.0.Final because of many Java class lookups. NOTE: the vendor disputes this because "the only thing that you could expect is that the parser will take a crazy amount of time to complete its task."

[DISPUTED] A vulnerability was found in the ParseTools.subCompileExpression() method in the Mvel package. This vulnerability manifests as a TimeOut error, and may allow an attacker to leverage the TimeOut error to disrupt the normal functioning of the system or application, potentially leading to undesired outcomes or disruptions.

Отчет

This CVE is disputed because the only anticipated outcome is that the parser will take an exceptionally long time to complete its task.

Затронутые пакеты

Платформа	Пакет	Состояние
OpenShift Serverless	mvel	Not affected
Red Hat build of Apache Camel for Spring Boot 3	mvel	Not affected
Red Hat Build of Keycloak	mvel	Not affected
Red Hat build of OptaPlanner 8	mvel	Not affected
Red Hat build of Quarkus	org.mvel/mvel2	Not affected
Red Hat Data Grid 8	mvel	Not affected
Red Hat Decision Manager 7	mvel	Not affected
Red Hat Fuse 7	mvel	Not affected
Red Hat Integration Camel K 1	mvel	Not affected
Red Hat JBoss Data Grid 7	mvel	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

https://bugzilla.redhat.com/show_bug.cgi?id=2256065mvel: TimeOut error when calling ParseTools.subCompileExpression() function

EPSS

Процентиль: 27%

0.00094

Низкий

5.3 Medium

CVSS3

Связанные уязвимости

CVE-2023-51079

CVSS3: 5.3

ubuntu

около 2 лет назад

CVE-2023-51079

CVSS3: 5.3

nvd

около 2 лет назад

GHSA-h63j-xqx6-w58r

CVSS3: 5.3

github

около 2 лет назад

mvel2 TimeOut error exists in the ParseTools.subCompileExpression method

EPSS

Процентиль: 27%

0.00094

Низкий

5.3 Medium

CVSS3