Thursday, July 28, 2022

[FIXED] OGNL 3.3.3: not compatible with spring boot 2.7.2 because of thymeleaf?

July 28, 2022 ognl, spring, spring-boot, spring-thymeleaf, thymeleaf

Issue

I am doing an upgrade of all my dependencies of my spring-boot project but I cannot upgrade ognl dependency from version 3.1.12 (containing the vulnerability CVE-2020-15250) to the last version 3.3.3 because I use the process() function on org.thymeleaf.TemplateEngine and I have the following error if I try to force the version of ognl dependency to 3.3.3 in my pom.xml:

java.lang.NoClassDefFoundError: ognl/DefaultMemberAccess
    at java.lang.ClassLoader.defineClass1(Native Method)
    at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
    at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
    at java.net.URLClassLoader.defineClass(URLClassLoader.java:468)
    at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
    at org.thymeleaf.standard.expression.OGNLVariableExpressionEvaluator.<clinit>(OGNLVariableExpressionEvaluator.java:76)
    at org.thymeleaf.standard.StandardDialect.getVariableExpressionEvaluator(StandardDialect.java:179)
    at org.thymeleaf.standard.StandardDialect.getExecutionAttributes(StandardDialect.java:393)
    at org.thymeleaf.DialectSetConfiguration.build(DialectSetConfiguration.java:263)
    at org.thymeleaf.EngineConfiguration.<init>(EngineConfiguration.java:123)
    at org.thymeleaf.TemplateEngine.initialize(TemplateEngine.java:336)
    at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1079)
    at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1059)
    at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1048)

It seems that in version 2.7.2 of spring-boot-starter-thymeleaf, the version 3.0.15.RELEASE of thymeleaf is used and this version try to use DefaultMemberAccess in ognl that is not available anymore after the version 3.2.1 of ognl according to what I saw.

I do not want to keep a dependency that have a vulnerability (ognl) but the version of thymeleaf in the last spring-boot version does not permit me to upgrade ognl because of that error.

Am I blocked for the upgrade or is it possible to do something please?

Solution

As @Andy Wilkinson said, the solution was to replace the new TemplateEngine() by new SpringTemplateEngine().

By doing that, OGNL seems to be useless because SpringTemplateEngine uses SpEL instead of OGNL if I understand.

Thank you for your help.

Answered By - phildeg31
Answer Checked By - Katrina (JavaFixing Volunteer)

This Answer collected from stackoverflow and tested by JavaFixing community admins, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Thursday, July 28, 2022

[FIXED] OGNL 3.3.3: not compatible with spring boot 2.7.2 because of thymeleaf?

Issue

Solution

Popular Posts

Labels