{"containers": {"cna": {"title": "Remote Code Execution (RCE) vulnerability in dropwizard-validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"}, {"name": "https://github.com/dropwizard/dropwizard/pull/3157", "tags": ["x_refsource_MISC"], "url": "https://github.com/dropwizard/dropwizard/pull/3157"}, {"name": "https://github.com/dropwizard/dropwizard/pull/3160", "tags": ["x_refsource_MISC"], "url": "https://github.com/dropwizard/dropwizard/pull/3160"}, {"name": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236", "tags": ["x_refsource_MISC"], "url": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236"}, {"name": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634", "tags": ["x_refsource_MISC"], "url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"}, {"name": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation", "tags": ["x_refsource_MISC"], "url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"}, {"name": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions", "tags": ["x_refsource_MISC"], "url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"}, {"name": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm", "tags": ["x_refsource_MISC"], "url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"}], "affected": [{"vendor": "dropwizard", "product": "dropwizard-validation", "versions": [{"version": ">= 1.3.0, < 1.3.19", "status": "affected"}, {"version": ">= 2.0.0, < 2.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-05T16:42:31.207Z"}, "descriptions": [{"lang": "en", "value": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.\n\nThe issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2."}], "source": {"advisory": "GHSA-3mcp-9wr4-cjqf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T14:57:55.801469Z", "id": "CVE-2020-5245", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T14:58:08.864Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.091Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"}, {"name": "https://github.com/dropwizard/dropwizard/pull/3157", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dropwizard/dropwizard/pull/3157"}, {"name": "https://github.com/dropwizard/dropwizard/pull/3160", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dropwizard/dropwizard/pull/3160"}, {"name": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236"}, {"name": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"}, {"name": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"}, {"name": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"}, {"name": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5245", "datePublished": "2020-02-24T17:35:20", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:09.091Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf", "name": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/dropwizard/dropwizard/pull/3157", "name": "https://github.com/dropwizard/dropwizard/pull/3157", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/dropwizard/dropwizard/pull/3160", "name": "https://github.com/dropwizard/dropwizard/pull/3160", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236", "name": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634", "name": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation", "name": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions", "name": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm", "name": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.091Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-5245", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-06T14:57:55.801469Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T14:58:03.428Z"}}], "cna": {"title": "Remote Code Execution (RCE) vulnerability in dropwizard-validation", "source": {"advisory": "GHSA-3mcp-9wr4-cjqf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dropwizard", "product": "dropwizard-validation", "versions": [{"status": "affected", "version": ">= 1.3.0, < 1.3.19"}, {"status": "affected", "version": ">= 2.0.0, < 2.0.2"}]}], "references": [{"url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf", "name": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dropwizard/dropwizard/pull/3157", "name": "https://github.com/dropwizard/dropwizard/pull/3157", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dropwizard/dropwizard/pull/3160", "name": "https://github.com/dropwizard/dropwizard/pull/3160", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236", "name": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634", "name": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634", "tags": ["x_refsource_MISC"]}, {"url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation", "name": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions", "name": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm", "name": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.\n\nThe issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-05T16:42:31.207Z"}}}, "cveMetadata": {"cveId": "CVE-2020-5245", "state": "PUBLISHED", "dateUpdated": "2024-08-04T08:22:09.091Z", "dateReserved": "2020-01-02T00:00:00", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2020-02-24T17:35:20", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dropwizard:dropwizard_validation:*:*:*:*:*:*:*:*", "matchCriteriaId": "6093F68F-E2FF-4A25-A709-79F315833DEF", "versionEndExcluding": "1.3.19", "vulnerable": true}, {"criteria": "cpe:2.3:a:dropwizard:dropwizard_validation:*:*:*:*:*:*:*:*", "matchCriteriaId": "4522F31B-974E-4957-8A49-6B396C810720", "versionEndExcluding": "2.0.2", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0DBC938-A782-433F-8BF1-CA250C332AA7", "versionEndExcluding": "21.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.\n\nThe issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2."}, {"lang": "es", "value": "Dropwizard-Validation versiones anteriores a 1.3.19 y 2.0.2, puede permitir una ejecuci\u00f3n de c\u00f3digo arbitraria en el host system, con los privilegios de la cuenta de servicio de Dropwizard, mediante la inyecci\u00f3n de expresiones arbitrarias de Java Expression Language cuando se utiliza la funcionalidad self-validating. El problema se ha corregido en dropwizard-validation versiones 1.3.19 y 2.0.2."}], "id": "CVE-2020-5245", "lastModified": "2024-11-21T05:33:45.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-24T18:15:22.477", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"}, {"source": "security-advisories@github.com", "url": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/pull/3157"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/pull/3160"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/pull/3157"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/pull/3160"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}