CVE-2020-5245: Remote Code Execution (RCE) vulnerability in dropwizard-validation
(updated )
A server-side template injection was identified in the self-validating (@SelfValidating
) feature of dropwizard-validation enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability.
If you’re using a self-validating bean (via @SelfValidating
), an upgrade to Dropwizard 1.3.19 or 2.0.2 is strongly recommended.
References
- beanvalidation.org/2.0/spec/
- docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/
- docs.oracle.com/javaee/7/tutorial/jsf-el.htm
- github.com/advisories/GHSA-3mcp-9wr4-cjqf
- github.com/dropwizard/dropwizard
- github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236
- github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634
- github.com/dropwizard/dropwizard/pull/3157
- github.com/dropwizard/dropwizard/pull/3160
- github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf
- nvd.nist.gov/vuln/detail/CVE-2020-5245
- www.oracle.com/security-alerts/cpuapr2022.html
Code Behaviors & Features
Detect and mitigate CVE-2020-5245 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →