1

I am doing an upgrade of all my dependencies of my spring-boot project but I cannot upgrade ognl dependency from version 3.1.12 (containing the vulnerability CVE-2020-15250) to the last version 3.3.3 because I use the process() function on org.thymeleaf.TemplateEngine and I have the following error if I try to force the version of ognl dependency to 3.3.3 in my pom.xml:

java.lang.NoClassDefFoundError: ognl/DefaultMemberAccess
    at java.lang.ClassLoader.defineClass1(Native Method)
    at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
    at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
    at java.net.URLClassLoader.defineClass(URLClassLoader.java:468)
    at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
    at org.thymeleaf.standard.expression.OGNLVariableExpressionEvaluator.<clinit>(OGNLVariableExpressionEvaluator.java:76)
    at org.thymeleaf.standard.StandardDialect.getVariableExpressionEvaluator(StandardDialect.java:179)
    at org.thymeleaf.standard.StandardDialect.getExecutionAttributes(StandardDialect.java:393)
    at org.thymeleaf.DialectSetConfiguration.build(DialectSetConfiguration.java:263)
    at org.thymeleaf.EngineConfiguration.<init>(EngineConfiguration.java:123)
    at org.thymeleaf.TemplateEngine.initialize(TemplateEngine.java:336)
    at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1079)
    at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1059)
    at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1048)

It seems that in version 2.7.2 of spring-boot-starter-thymeleaf, the version 3.0.15.RELEASE of thymeleaf is used and this version try to use DefaultMemberAccess in ognl that is not available anymore after the version 3.2.1 of ognl according to what I saw.

I do not want to keep a dependency that have a vulnerability (ognl) but the version of thymeleaf in the last spring-boot version does not permit me to upgrade ognl because of that error.

Am I blocked for the upgrade or is it possible to do something please?

phildeg31
  • 169
  • 1
  • 14
  • Just for clarification (my own ignorance): I thought Spring-Thymeleaf (the Spring dialect of Thymeleaf) used SpEL not OGNL. – andrewJames Jul 25 '22 at 15:35
  • 2
    @andrewJames That's correct. `SpringStandardDialect` subclasses the `StandardDialect` that appears in the stacktrace, and overrides the `getVariableExpressionEvaluator` method to return a SpEL-based evaluator. @phildeg31, perhaps you can switch to `SpringTemplateEngine` (from `TemplateEngine`), thereby also switching to `SpringStandardDialect` and removing the need for OGNL. – Andy Wilkinson Jul 25 '22 at 16:29
  • Hi, Yes it worked thank you. Indeed the `TemplateEngine` was used directly instead of the `SpringTemplateEngine`. By replacing the `new TemplateEngine()` by `new SpringTemplateEngine()` everything works without error and I do not need OGNL anymore (because `SpringTemplateEngine` uses SpEL instead of OGNL if I understand). – phildeg31 Jul 28 '22 at 06:24

1 Answers1

3

As @Andy Wilkinson said, the solution was to replace the new TemplateEngine() by new SpringTemplateEngine().

By doing that, OGNL seems to be useless because SpringTemplateEngine uses SpEL instead of OGNL if I understand.

Thank you for your help.

phildeg31
  • 169
  • 1
  • 14