{"containers":{"cna":{"title":"Remote Code Execution (RCE) vulnerability in dropwizard-validation","problemTypes":[{"descriptions":[{"cweId":"CWE-74","lang":"en","description":"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.9,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L","version":"3.1"}}],"references":[{"name":"https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf","tags":["x_refsource_CONFIRM"],"url":"https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"},{"name":"https://github.com/dropwizard/dropwizard/pull/3157","tags":["x_refsource_MISC"],"url":"https://github.com/dropwizard/dropwizard/pull/3157"},{"name":"https://github.com/dropwizard/dropwizard/pull/3160","tags":["x_refsource_MISC"],"url":"https://github.com/dropwizard/dropwizard/pull/3160"},{"name":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236","tags":["x_refsource_MISC"],"url":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236"},{"name":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","tags":["x_refsource_MISC"],"url":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"},{"name":"https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation","tags":["x_refsource_MISC"],"url":"https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"},{"name":"https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions","tags":["x_refsource_MISC"],"url":"https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"},{"name":"https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm","tags":["x_refsource_MISC"],"url":"https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"}],"affected":[{"vendor":"dropwizard","product":"dropwizard-validation","versions":[{"version":">= 1.3.0, < 1.3.19","status":"affected"},{"version":">= 2.0.0, < 2.0.2","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-06-05T16:42:31.207Z"},"descriptions":[{"lang":"en","value":"Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.\n\nThe issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2."}],"source":{"advisory":"GHSA-3mcp-9wr4-cjqf","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-06T14:57:55.801469Z","id":"CVE-2020-5245","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-06T14:58:08.864Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T08:22:09.091Z"},"title":"CVE Program Container","references":[{"name":"https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"},{"name":"https://github.com/dropwizard/dropwizard/pull/3157","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/dropwizard/dropwizard/pull/3157"},{"name":"https://github.com/dropwizard/dropwizard/pull/3160","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/dropwizard/dropwizard/pull/3160"},{"name":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236"},{"name":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"},{"name":"https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation","tags":["x_refsource_MISC","x_transferred"],"url":"https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"},{"name":"https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions","tags":["x_refsource_MISC","x_transferred"],"url":"https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"},{"name":"https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm","tags":["x_refsource_MISC","x_transferred"],"url":"https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"}]}]},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2020-5245","datePublished":"2020-02-24T17:35:20.000Z","dateReserved":"2020-01-02T00:00:00.000Z","dateUpdated":"2024-08-04T08:22:09.091Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}