Bug 2256065 (CVE-2023-51079) - CVE-2023-51079 mvel: TimeOut error when calling ParseTools.subCompileExpression() function
Summary: CVE-2023-51079 mvel: TimeOut error when calling ParseTools.subCompileExpressi...
Keywords:
Status: NEW
Alias: CVE-2023-51079
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2256066
TreeView+ depends on / blocked
 
Reported: 2023-12-28 07:05 UTC by TEJ RATHI
Modified: 2024-07-25 19:26 UTC (History)
74 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
[DISPUTED] A vulnerability was found in the ParseTools.subCompileExpression() method in the Mvel package. This vulnerability manifests as a TimeOut error, and may allow an attacker to leverage the TimeOut error to disrupt the normal functioning of the system or application, potentially leading to undesired outcomes or disruptions.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:4884 0 None None None 2024-07-25 19:26:13 UTC

Description TEJ RATHI 2023-12-28 07:05:00 UTC
A TimeOut error exists in the ParseTools.subCompileExpression method in mvel2 v2.5.0 Final.

https://github.com/mvel/mvel/issues/348

Comment 8 Marek Novotny 2024-01-29 14:33:03 UTC
the https://github.com/mvel/mvel/issues/348 was disputed and closed. This should not really be reported to other products.

Comment 11 Marek Novotny 2024-02-12 08:57:51 UTC
i can't close all product tracking jiras. Please close the remaining ones.

Comment 15 errata-xmlrpc 2024-07-25 19:26:09 UTC
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.4.1 for Spring Boot

Via RHSA-2024:4884 https://access.redhat.com/errata/RHSA-2024:4884


Note You need to log in before you can comment on or make changes to this bug.