-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from the ExpressionContextImpl class's eval method (line 126 in referenced code) where JEXL expressions are evaluated without sanitization. The code pattern jexl.createExpression().evaluate() with user-controlled input is a classic code injection vector. The method processes potentially untrusted expressions through a powerful expression evaluator (JEXL), and the advisory explicitly identifies this line as the vulnerable point. No input validation/sandboxing is visible in the provided code snippet, making this a clear case of CWE-94 (Code Injection).
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.bstek.uflo:uflo-core | maven | <= 2.1.5 |