Source: ognl Version: 2.7.3-8 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 2.7.3-7
Hi, The following vulnerability was published for ognl. CVE-2025-53192[0]: | ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of | Expression/Command Delimiters vulnerability in Apache Commons OGNL. | This issue affects Apache Commons OGNL: all versions. When using | the API Ognl.getValue​, the OGNL engine parses and evaluates the | provided expression with powerful capabilities, including accessing | and invoking related methods, etc. Although OgnlRuntime attempts to | restrict certain dangerous classes and methods (such as | java.lang.Runtime) through a blocklist, these restrictions are not | comprehensive. Attackers may be able to bypass the restrictions by | leveraging class objects that are not covered by the blocklist and | potentially achieve arbitrary code execution. As this project is | retired, we do not plan to release a version that fixes this issue. | Users are recommended to find an alternative or restrict access to | the instance to trusted users. NOTE: This vulnerability only | affects products that are no longer supported by the maintainer. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-53192 https://www.cve.org/CVERecord?id=CVE-2025-53192 [1] https://lists.apache.org/thread/2gj8tjl6vz949nnp3yxz3okm9xz2k7sp Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
