Possible expression language (EL) injection detected

Overview

Rule ID: java_lang_expression_language_injection
Applicable Languages: Java
Weakness ID: CWE-917

Description

Expression Language (EL) injection vulnerabilities arise when unvalidated external input is incorporated into EL statements. This can lead to the inadvertent execution of malicious code.

Remediation Guidelines

Always validate all external input or dynamic values before incorporating them into EL statements. This is essential to mitigate the risk of EL injection attacks.

References

OWASP Expression Language Injection
CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousPossible CLRF injection detected NextPossible HTTP Parameter Pollution detected

Last updated 3 months ago