Closed Linfar closed 5 months ago
StandardEvaluationContext allows arbitrary code, including Runtime class which in its turn can lead to an RCE. Eg https://codethreat.medium.com/reminiscences-of-another-el-injection-62a3335cd22.
It looks like SimpleEvaluationContext can be safely used instead.
StandardEvaluationContext allows arbitrary code, including Runtime class which in its turn can lead to an RCE. Eg https://codethreat.medium.com/reminiscences-of-another-el-injection-62a3335cd22.
It looks like SimpleEvaluationContext can be safely used instead.