Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
8.8
CVSSv3

CVE-2020-11002

Published: 10/04/2020 Updated: 13/04/2020
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 801
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Subscribe to Dropwizard Validation

Vulnerability Summary

dropwizard-validation prior to 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling malicious users to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

dropwizard dropwizard validation

Github Repositories

https://github.com/w3bspl01t3r/w3bspl01t3r.github.io

Bean Validation To Remote Code Execution In this blog post we will talk about a Java Specific bug that are often overlooked during pentest , which can give us a code execution if certain Conditions are met What is Bean and what is Validators On Spring: The Bean in java simply refers to the POJO classes or we can say , the classes which have member variable de

References

CWE-74https://github.com/dropwizard/dropwizard/pull/3209https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerabilityhttps://github.com/dropwizard/dropwizard/pull/3208https://github.com/dropwizard/dropwizard/security/advisories/GHSA-8jpx-m2wh-2v34https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqfhttps://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontexthttps://nvd.nist.govhttps://github.com/w3bspl01t3r/w3bspl01t3r.github.io
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-21987buffer overflowCVE-2024-28890CVE-2024-27574CVE-2024-27347CVE-2024-31450privilegeSSTICVE-2024-31666
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook