// For flags

CVE-2020-11002

Remote Code Execution (RCE) vulnerability in dropwizard-validation

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.

dropwizard-validation versiones anteriores a 2.0.3 y 1.3.21, presenta una vulnerabilidad de ejecución de código remota. Se identificó una inyección de plantilla del lado del servidor en la funcionalidad self-validating que permite a atacantes inyectar expresiones Java EL arbitrarias, lo que conlleva a una vulnerabilidad de Ejecución de Código Remota (RCE). Si está utilizando un bean de autocomprobación, una actualización a Dropwizard versiones 1.3.21 y 2.0.3 o posteriores, es sumamente recomendada. Lamentablemente, los cambios introducidos en Dropwizard versiones 1.3.19 y 2.0.2 para CVE-2020-5245 no corrigieron el problema subyacente completamente. El problema ha sido corregido en dropwizard-validation versiones 1.3.21 y 2.0.3 o posteriores. Recomendamos encarecidamente actualizar a una de estas versiones.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-03-30 CVE Reserved
  • 2020-04-10 CVE Published
  • 2024-07-06 EPSS Updated
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Dropwizard
Search vendor "Dropwizard"
Dropwizard Validation
Search vendor "Dropwizard" for product "Dropwizard Validation"
< 1.3.21
Search vendor "Dropwizard" for product "Dropwizard Validation" and version " < 1.3.21"
-
Affected
Dropwizard
Search vendor "Dropwizard"
Dropwizard Validation
Search vendor "Dropwizard" for product "Dropwizard Validation"
>= 2.0.0 < 2.0.3
Search vendor "Dropwizard" for product "Dropwizard Validation" and version " >= 2.0.0 < 2.0.3"
-
Affected