CVE Vulnerabilities

CVE-2020-5245

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Feb 24, 2020 | Modified: Jun 05, 2024
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
9 HIGH
AV:N/AC:L/Au:S/C:C/I:C/A:C
RedHat/V2
RedHat/V3
Ubuntu

Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.

The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Dropwizard_validation Dropwizard * 1.3.19 (excluding)
Dropwizard_validation Dropwizard 2.0.0 (including) 2.0.2 (excluding)

Potential Mitigations

References