CVE-2020-5245
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-5245
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5245.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-5245
- Aliases
- Published
- 2020-02-24T18:15:22Z
- Modified
- 2024-06-06T10:03:14.224972Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.
The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.
- References
-
- https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf
- https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236
- https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634
- https://github.com/dropwizard/dropwizard/pull/3157
- https://github.com/dropwizard/dropwizard/pull/3160
- https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation
- https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions
- https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm
Affected packages
Git / github.com/dropwizard/dropwizard
Affected ranges
- Type
- GIT
- Repo
- https://github.com/dropwizard/dropwizard
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
v0.*
v0.0.1
v0.0.10
v0.0.10-1
v0.0.11
v0.0.11-1
v0.0.12
v0.0.13
v0.0.2
v0.0.2-fix-publishing
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.2.0
v0.2.1
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.6.0
v0.6.1
v0.6.2
v0.7.0
v0.7.0-rc1
v0.7.0-rc2
v0.7.0-rc3
v0.8.0
v0.8.0-rc1
v0.8.0-rc2
v0.8.0-rc3
v0.8.0-rc4
v0.8.0-rc5
v0.8.1
v0.8.1-rc1
v0.8.1-rc2
v0.9.0
v0.9.0-rc1
v0.9.0-rc2
v0.9.0-rc3
v0.9.0-rc4
v0.9.0-rc5
v1.*
v1.0.0
v1.0.0-rc1
v1.0.0-rc2
v1.0.0-rc3
v1.0.0-rc4
v1.2.0
v1.2.0-rc1
v1.2.0-rc2
v1.2.0-rc3
v1.2.0-rc4
v1.2.0-rc5
v1.2.0-rc6
v1.3.0
v1.3.0-rc1
v1.3.0-rc2
v1.3.0-rc3
v1.3.0-rc4
v1.3.0-rc5
v1.3.0-rc6
v1.3.0-rc7
v1.3.1
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v2.*
v2.0.0
v2.0.0-rc0
v2.0.0-rc1
v2.0.0-rc10
v2.0.0-rc11
v2.0.0-rc12
v2.0.0-rc13
v2.0.0-rc14
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.0.0-rc5
v2.0.0-rc6
v2.0.0-rc7
v2.0.0-rc8
v2.0.0-rc9
v2.0.1