CVE-2023-24163: 
Java vulnerability analysis and mitigation

SQL Injection vulnerability identified as CVE-2023-24163 affects Dromara hutool versions before 5.8.21. The vulnerability was discovered in January 2023 and allows attackers to execute arbitrary code via the aviator template engine (NVD, CVE).

The vulnerability exists in the ExpressionUtil functionality of Hutool, which acts as a facade for expression engines. The issue specifically relates to the processing of untrusted expression strings through the Aviator template engine, allowing potential code execution attacks even when using Aviator's latest version 5.3.3 (Gitee Issue).

When exploited, the vulnerability allows attackers to execute arbitrary code through the aviator template engine, potentially compromising the security of applications using affected versions of Hutool (NVD).

The vulnerability was fixed in Hutool version 5.8.21 with the addition of allowClassSet feature. For versions 6.0.0 and later, the ExpressionUtil functionality has been completely removed as a security measure (Github Release, Gitee Issue).

The project maintainers initially considered the vulnerability as a limitation of the expression engine implementation rather than a direct Hutool issue. However, due to persistent security concerns, they decided to implement fixes in version 5.8.21 and completely remove the functionality in version 6.0.0 (Gitee Issue).