CVE-2020-5245

HIGH

Dropwizard Validation < 1.3.19 - Injection

Title source: rule

Description

Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.

Exploits (1)

nomisec WORKING POC

by LycsHub · poc

https://github.com/LycsHub/CVE-2020-5245

View Code ZIP pw:eip

References (8)

[Third Party Advisory] https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation

[Third Party Advisory] https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions

[Third Party Advisory] https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm

[Patch, Third Party Advisory] https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634

[Patch, Third Party Advisory] https://github.com/dropwizard/dropwizard/pull/3157

[Patch, Third Party Advisory] https://github.com/dropwizard/dropwizard/pull/3160

[Exploit, Third Party Advisory] https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf

[Patch] https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236

Scores

CVSS v3 7.9

EPSS 0.0630

EPSS Percentile 91.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

Details

CWE

CWE-74

Status published

Products (3)

dropwizard/dropwizard_validation < 1.3.19

io.dropwizard/dropwizard-validation 1.3.0-rc1 - 1.3.19Maven

oracle/blockchain_platform < 21.1.2

Published Feb 24, 2020

Tracked Since Feb 18, 2026