- **Weakness ID**: 917 - **Vulnerability Mapping**: ALLOWED - **Description**: - The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. - **Common Consequences**: - **Impact**: - **Scope**: Confidentiality - **Scope**: Integrity - **Potential Mitigations**: - **Architecture and Design**: Avoid adding user-controlled data into an expression interpreter when possible. - **Implementation**: - Validate that the user input will not evaluate as an expression. - Encode the user input in a way that ensures it is not evaluated as an expression. - **System Configuration; Operation**: The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the `isELIgnored` attribute for a JSP page to `"true"`. - **Modes of Introduction**: - **Phase**: Architecture and Design, Implementation - **Note**: Java (Undetermined Prevalence) - **Applicable Platforms**: Java - **Selected Observed Examples**: CVE-2021-44228 - Product does not neutralize `${xyz}` style expressions, allowing remote code execution. (log4shell vulnerability in log4j) - **Weakness Ordinalities**: Primary - (where the weakness exists independent of other weaknesses) - **Detection Methods**: - **Automated Static Analysis**: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.). Effectiveness: High - **Maintenance**: The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.