Bug#1111588: ognl: CVE-2025-53192
Salvatore Bonaccorso
carnil at debian.org
Tue Aug 19 20:03:17 BST 2025
Source: ognl
Version: 2.7.3-8
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 2.7.3-7
Hi,
The following vulnerability was published for ognl.
CVE-2025-53192[0]:
| ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of
| Expression/Command Delimiters vulnerability in Apache Commons OGNL.
| This issue affects Apache Commons OGNL: all versions. When using
| the API Ognl.getValue, the OGNL engine parses and evaluates the
| provided expression with powerful capabilities, including accessing
| and invoking related methods, etc. Although OgnlRuntime attempts to
| restrict certain dangerous classes and methods (such as
| java.lang.Runtime) through a blocklist, these restrictions are not
| comprehensive. Attackers may be able to bypass the restrictions by
| leveraging class objects that are not covered by the blocklist and
| potentially achieve arbitrary code execution. As this project is
| retired, we do not plan to release a version that fixes this issue.
| Users are recommended to find an alternative or restrict access to
| the instance to trusted users. NOTE: This vulnerability only
| affects products that are no longer supported by the maintainer.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53192
https://www.cve.org/CVERecord?id=CVE-2025-53192
[1] https://lists.apache.org/thread/2gj8tjl6vz949nnp3yxz3okm9xz2k7sp
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list