CVE-2020-5245: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

February 24, 2020 (updated May 21, 2021)

Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.

References

github.com/advisories/GHSA-3mcp-9wr4-cjqf
github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634
github.com/dropwizard/dropwizard/pull/3157
github.com/dropwizard/dropwizard/pull/3160
github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf
nvd.nist.gov/vuln/detail/CVE-2020-5245

Detect and mitigate CVE-2020-5245 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →