We use quarkus-hibernate-validator which pulls in jakarta.el. But recently all versions of jakarta.el is flagged by NexusIQ for a severe vulnaribility.
[https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/][1]
Details as follows:
VULNERABILITY ISSUE sonatype-2020-1438 ISSUE sonatype-2020-1438 SEVERITY Sonatype CVSS 3:7.5 CVE CVSS 2.0:0.0 WEAKNESS Sonatype CWE:20 SOURCE Sonatype Data Research CATEGORIES Data EXPLANATION The jakarta.el package contains an Improper Input Validation vulnerability. The LiteralExpression method in the ELParser class fails to properly identify literal expressions. Consequently, invalid expressions are evaluated as if they were valid. A remote attacker can exploit this vulnerability by crafting an EL expression containing a $ or # symbol followed by a backslash, /, and the payload. This will bypass current validations and cause the parser to evaluate the expression potentially allowing Remote Code Execution.
DETECTION The application is vulnerable by using this component.
RECOMMENDATION There is no non-vulnerable upgrade path for this component/package. We recommend investigating alternative components or a potential mitigating control.
ROOT CAUSE jakarta.el-3.0.3.jbossorg-2.jarcom/sun/el/parser/ELParser.class( , ) ADVISORIES Third Party:https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/ CVSS DETAILS Sonatype CVSS 3:7.5
Does Quarkus team have any recommendations on remediating this?
