Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.
The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.
References
Link | Resource |
---|---|
https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation | Third Party Advisory |
https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions | Third Party Advisory |
https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm | Third Party Advisory |
https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236 | |
https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634 | Patch Third Party Advisory |
https://github.com/dropwizard/dropwizard/pull/3157 | Patch Third Party Advisory |
https://github.com/dropwizard/dropwizard/pull/3160 | Patch Third Party Advisory |
https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2020-02-24T17:35:20
Updated: 2024-06-06T14:58:08.864Z
Reserved: 2020-01-02T00:00:00
Link: CVE-2020-5245
JSON object: View
NVD Information
Status : Modified
Published: 2020-02-24T18:15:22.477
Modified: 2024-06-05T17:15:10.123
Link: CVE-2020-5245
JSON object: View
Redhat Information
No data.
CWE