CVE-2020-5245 — Injection in Validation

CWE-74 — Injection CWE-94 — Code Injection7 documents6 sources

Severity

8.8HIGHNVD

CNA7.9GHSA7.9

EPSS

6.3%

top 9.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hibernate Validator Dropwizard Validation Oracle Blockchain Platform +1 more

Timeline

PublishedFeb 24

Latest updateJun 3

Description

Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDdropwizard/dropwizard_validation2.0.0 — 2.0.2+1

▶CVEListV5dropwizard/dropwizard-validation>= 1.3.0, < 1.3.19, >= 2.0.0, < 2.0.2+1

▶NVDoracle/blockchain_platform< 21.1.2

▶CVEListV5hibernate/hibernate_validator< 6.2.0+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language↗2025-06-03

▶

CVEList

Remote Code Execution (RCE) vulnerability in dropwizard-validation↗2020-02-24

▶

OSV

Remote Code Execution (RCE) vulnerability in dropwizard-validation↗2020-02-24

▶

GHSA

Remote Code Execution (RCE) vulnerability in dropwizard-validation↗2020-02-24

▶

📋Vendor Advisories

Red Hat

hibernate-validator: Hibernate Validator Expression Language Injection↗2025-06-03

▶

Oracle

Oracle Oracle Blockchain Platform Risk Matrix: Backend (Dropwizard-Validation) — CVE-2020-5245↗2022-04-15

▶