CVE-2020-11002

Remote Code Execution (RCE) vulnerability in dropwizard-validation

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.

dropwizard-validation versiones anteriores a 2.0.3 y 1.3.21, presenta una vulnerabilidad de ejecución de código remota. Se identificó una inyección de plantilla del lado del servidor en la funcionalidad self-validating que permite a atacantes inyectar expresiones Java EL arbitrarias, lo que conlleva a una vulnerabilidad de Ejecución de Código Remota (RCE). Si está utilizando un bean de autocomprobación, una actualización a Dropwizard versiones 1.3.21 y 2.0.3 o posteriores, es sumamente recomendada. Lamentablemente, los cambios introducidos en Dropwizard versiones 1.3.19 y 2.0.2 para CVE-2020-5245 no corrigieron el problema subyacente completamente. El problema ha sido corregido en dropwizard-validation versiones 1.3.21 y 2.0.3 o posteriores. Recomendamos encarecidamente actualizar a una de estas versiones.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-03-30 CVE Reserved
2020-04-10 CVE Published
2024-07-06 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CAPEC

References (7)

URL	Tag	Source
https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext	Third Party Advisory
https://github.com/dropwizard/dropwizard/security/advisories/GHSA-8jpx-m2wh-2v34	Third Party Advisory
https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability	Third Party Advisory

URL	Date	SRC
https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf	2024-08-04

URL	Date	SRC
https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242	2020-04-13
https://github.com/dropwizard/dropwizard/pull/3208	2020-04-13
https://github.com/dropwizard/dropwizard/pull/3209	2020-04-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dropwizard Search vendor "Dropwizard"		Dropwizard Validation Search vendor "Dropwizard" for product "Dropwizard Validation"				< 1.3.21 Search vendor "Dropwizard" for product "Dropwizard Validation" and version " < 1.3.21"		-		Affected
Dropwizard Search vendor "Dropwizard"		Dropwizard Validation Search vendor "Dropwizard" for product "Dropwizard Validation"				>= 2.0.0 < 2.0.3 Search vendor "Dropwizard" for product "Dropwizard Validation" and version " >= 2.0.0 < 2.0.3"		-		Affected