Bug 2256065 (CVE-2023-51079)

Summary: CVE-2023-51079 mvel: TimeOut error when calling ParseTools.subCompileExpression() function
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adupliak, aileenc, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, chazlett, chfoley, clement.escoffier, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, dsimansk, fmariani, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jmartisk, jpoth, jrokos, kingland, kverlaen, lthon, matzew, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, olubyans, pcongius, pdelbell, pdrozd, peholase, pgallagh, pierdipi, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rowaters, rruss, rstancel, rsvoboda, saroy, sbiarozk, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[DISPUTED] A vulnerability was found in the ParseTools.subCompileExpression() method in the Mvel package. This vulnerability manifests as a TimeOut error, and may allow an attacker to leverage the TimeOut error to disrupt the normal functioning of the system or application, potentially leading to undesired outcomes or disruptions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2256066    

Description TEJ RATHI 2023-12-28 07:05:00 UTC 
A TimeOut error exists in the ParseTools.subCompileExpression method in mvel2 v2.5.0 Final.

https://github.com/mvel/mvel/issues/348
Comment 8 Marek Novotny 2024-01-29 14:33:03 UTC 
the https://github.com/mvel/mvel/issues/348 was disputed and closed. This should not really be reported to other products.
Comment 11 Marek Novotny 2024-02-12 08:57:51 UTC 
i can't close all product tracking jiras. Please close the remaining ones.
Comment 15 errata-xmlrpc 2024-07-25 19:26:09 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.4.1 for Spring Boot

Via RHSA-2024:4884 https://access.redhat.com/errata/RHSA-2024:4884