Currently, our security tool scans for a vulnerability related to JNDI injection from JndiVariableResolver.java, which is disabled by default. Therefore, this vulnerability only occurs if your application meets all the following conditions.

1. Your application enables it by default.
2. Your application allows end users to input JNDI pattern mappings from user input.

According to its documentation,
JndiVariableResolver resolves variables in the following order:

1. java:comp/env
2. java:comp
3. java:
4. The variable will be looked up as a session bean with a prepended key.
5. The key-value pairs defined by the mapping.

This security vulnerability can only occur if step 5 is used and the returned value of the malicious code is passed through end-user input.

To resolve this issue, remember to never allow any end-user input without proper validation. Alternatively, disable this resolver by default.