Vulnerability Description
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dropwizard | Dropwizard Validation | < 1.3.19 |
| Oracle | Blockchain Platform | < 21.1.2 |
Related Weaknesses (CWE)
References
- https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpoThird Party Advisory
- https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#sectThird Party Advisory
- https://docs.oracle.com/javaee/7/tutorial/jsf-el.htmThird Party Advisory
- https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd9
- https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961PatchThird Party Advisory
- https://github.com/dropwizard/dropwizard/pull/3157PatchThird Party Advisory
- https://github.com/dropwizard/dropwizard/pull/3160PatchThird Party Advisory
- https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqfExploitThird Party Advisory
- https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpoThird Party Advisory
- https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#sectThird Party Advisory
- https://docs.oracle.com/javaee/7/tutorial/jsf-el.htmThird Party Advisory
- https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd9
- https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961PatchThird Party Advisory
- https://github.com/dropwizard/dropwizard/pull/3157PatchThird Party Advisory
- https://github.com/dropwizard/dropwizard/pull/3160PatchThird Party Advisory
FAQ
What is CVE-2020-5245?
CVE-2020-5245 is a vulnerability with a CVSS score of 7.9 (HIGH). Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Lang...
How severe is CVE-2020-5245?
CVE-2020-5245 has been rated HIGH with a CVSS base score of 7.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-5245?
Check the references section above for vendor advisories and patch information. Affected products include: Dropwizard Dropwizard Validation, Oracle Blockchain Platform.