Published: 10/04/2020 Updated: 13/04/2020

CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

dropwizard-validation prior to 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling malicious users to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.

Vulnerable Product	Search on Vulmon	Subscribe to Product
dropwizard dropwizard validation

CWE-74 https://github.com/dropwizard/dropwizard/pull/3209 https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability https://github.com/dropwizard/dropwizard/pull/3208 https://github.com/dropwizard/dropwizard/security/advisories/GHSA-8jpx-m2wh-2v34 https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242 https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2020-11002

Vulnerability Summary

Most Upvoted Vulmon Research Post

Vulnerability Trend

References

Vulmon Search

About

Products

Connect