CVE-2020-5245: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
(updated )
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.
References
- github.com/advisories/GHSA-3mcp-9wr4-cjqf
- github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634
- github.com/dropwizard/dropwizard/pull/3157
- github.com/dropwizard/dropwizard/pull/3160
- github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf
- nvd.nist.gov/vuln/detail/CVE-2020-5245
Code Behaviors & Features
Detect and mitigate CVE-2020-5245 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →