CVE-2020-5245

Remote Code Execution (RCE) vulnerability in dropwizard-validation

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.

The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.

Dropwizard-Validation versiones anteriores a 1.3.19 y 2.0.2, puede permitir una ejecución de código arbitraria en el host system, con los privilegios de la cuenta de servicio de Dropwizard, mediante la inyección de expresiones arbitrarias de Java Expression Language cuando se utiliza la funcionalidad self-validating. El problema se ha corregido en dropwizard-validation versiones 1.3.19 y 2.0.2.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2020-01-02 CVE Reserved
2020-02-24 CVE Published
2023-02-17 First Exploit
2024-06-06 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CAPEC

References (9)

URL	Tag	Source
https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation	Third Party Advisory
https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions	Third Party Advisory
https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm	Third Party Advisory
https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236	X_refsource_misc

URL	Date	SRC
https://github.com/LycsHub/CVE-2020-5245	2023-02-17
https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf	2024-08-04

URL	Date	SRC
https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634	2024-06-05
https://github.com/dropwizard/dropwizard/pull/3157	2024-06-05
https://github.com/dropwizard/dropwizard/pull/3160	2024-06-05

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dropwizard Search vendor "Dropwizard"		Dropwizard Validation Search vendor "Dropwizard" for product "Dropwizard Validation"				< 1.3.19 Search vendor "Dropwizard" for product "Dropwizard Validation" and version " < 1.3.19"		-		Affected
Dropwizard Search vendor "Dropwizard"		Dropwizard Validation Search vendor "Dropwizard" for product "Dropwizard Validation"				>= 2.0.0 < 2.0.2 Search vendor "Dropwizard" for product "Dropwizard Validation" and version " >= 2.0.0 < 2.0.2"		-		Affected
Oracle Search vendor "Oracle"		Blockchain Platform Search vendor "Oracle" for product "Blockchain Platform"				< 21.1.2 Search vendor "Oracle" for product "Blockchain Platform" and version " < 21.1.2"		-		Affected