CVE-2020-5245

Remote Code Execution (RCE) vulnerability in dropwizard-validation

CVSS 7.9 HIGHEPSS 2.8%CWE-74

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.9EPSS 2.8%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

24 Feb 2020Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

Affected products

dropwizard · dropwizard-validation

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236 https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634 https://github.com/dropwizard/dropwizard/pull/3157 https://github.com/dropwizard/dropwizard/pull/3160 https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf