Discovering and Exploiting a Spring Framework Vulnerability
Previously, Expression Language Injection has only meant information disclosure. I’ll illustrate how it can actually be used for remote code execution on Glassfish and potentially other EL 2.2 containers.