CVSS: 9.0EPSS: 4%CPEs: 2EXPL: 1CVE-2020-11002 – Remote Code Execution (RCE) vulnerability in dropwizard-validation
https://notcve.org/view.php?id=CVE-2020-11002
dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. • https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242 https://github.com/dropwizard/dropwizard/pull/3208 https://github.com/dropwizard/dropwizard/pull/3209 https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf https://github.com/dropwizard/dropwizard/security/advisories/GHSA-8jpx-m2wh-2v34 https://github.com/dropwizard/dropwizard/security/policy#rep • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 2CVE-2020-5245 – Remote Code Execution (RCE) vulnerability in dropwizard-validation
https://notcve.org/view.php?id=CVE-2020-5245
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2. Dropwizard-Validation versiones anteriores a 1.3.19 y 2.0.2, puede permitir una ejecución de código arbitraria en el host system, con los privilegios de la cuenta de servicio de Dropwizard, mediante la inyección de expresiones arbitrarias de Java Expression Language cuando se utiliza la funcionalidad self-validating. El problema se ha corregido en dropwizard-validation versiones 1.3.19 y 2.0.2. • https://github.com/LycsHub/CVE-2020-5245 https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236 https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634 https://github.com/dropwizard/dropwizard/pull/3157 h • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •