1. Home
  2. CWE Database
  3. CWE-917
Base · Medium

CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does no...

CWE-917 · Base Level ·1 CVEs ·3 Mitigations

Description

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Frameworks such as Java Server Page (JSP) allow a developer to insert executable expressions within otherwise-static content. When the developer is not aware of the executable nature of these expressions and/or does not disable them, then if an attacker can inject expressions, this could lead to code execution or other unexpected behaviors.

Potential Impact

Confidentiality

Read Application Data

Integrity

Execute Unauthorized Code or Commands

Mitigations & Prevention

Architecture and Design

Avoid adding user-controlled data into an expression interpreter when possible.

Implementation

If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:

System ConfigurationOperation

The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2021-44228Product does not neutralize ${xyz} style expressions, allowing remote code execution. (log4shell vulnerability in log4j)

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it doe...

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incor...

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an ups...

Frequently Asked Questions

What is CWE-917?

CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does no...

How can CWE-917 be exploited?

Attackers can exploit CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')) to read application data. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-917?

Key mitigations include: Avoid adding user-controlled data into an expression interpreter when possible.

What is the severity of CWE-917?

CWE-917 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.