CVE-2011-2730: EL expressions double evaluation
(updated )
When a container supports Expression Language (EL), this package evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a name attribute in a spring:hasBindErrors
tag; path attribute in a spring:bind
or spring:nestedpath
tag; arguments
, code
, text
, var
, scope
, or message
attribute in a spring:message
or spring:theme
tag; or var
, scope
, or value
attribute in a spring:transform
tag, aka Expression Language Injection.
References
Detect and mitigate CVE-2011-2730 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →