CVE - CVE-2020-5245

CVE-ID
CVE-2020-5245	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation URL:https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation MISC:https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions URL:https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions MISC:https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm URL:https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm MISC:https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236 URL:https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236 MISC:https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634 URL:https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634 MISC:https://github.com/dropwizard/dropwizard/pull/3157 URL:https://github.com/dropwizard/dropwizard/pull/3157 MISC:https://github.com/dropwizard/dropwizard/pull/3160 URL:https://github.com/dropwizard/dropwizard/pull/3160 MISC:https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf URL:https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20200102	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20200102)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)

Use of the CVE® List and the associated references from this website are subject to the terms of use. CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 1999–2024, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation.