CVE-2020-5245
published 2020-02-24CVE-2020-5245: Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by…
high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.
The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libhibernate-validator-java | — | — |
| debian | libhibernate-validator4-java | — | — |
| dropwizard | dropwizard | < 1.3.21 | 1.3.21 |
| dropwizard | dropwizard | — | — |
| dropwizard | dropwizard_validation | < 1.3.19 | 1.3.19 |
| dropwizard | dropwizard_validation | < 1.3.21 | 1.3.21 |
| dropwizard | dropwizard_validation | >= 2.0.0 < 2.0.2 | 2.0.2 |
| dropwizard | dropwizard_validation | >= 2.0.0 < 2.0.3 | 2.0.3 |
| hibernate | hibernate_validator | < 6.2.0 | 6.2.0 |
| hibernate | hibernate_validator | < 7.0.0 | 7.0.0 |
| oracle | blockchain_platform | < 21.1.2 | 21.1.2 |
| redhat | hibernate_validator | < 6.2.0 | 6.2.0 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.8HIGH
osv8.8HIGH