CVE-2020-11002

Name of the Vulnerable Software and Affected Versions dropwizard-validation versions prior to 1.3.21 and 2.0.3

Description A server-side template injection was identified in the self-validating feature of dropwizard-validation, enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system with the privileges of the Dropwizard service account. The evaluation of EL expressions has been disabled by default in the fixed versions.

Recommendations To resolve the issue, upgrade to dropwizard-validation version 1.3.21 or 2.0.3 or later. If you are not able to upgrade to one of the aforementioned versions of dropwizard-validation but still want to use the self-validating feature, make sure to properly sanitize any message you're adding to the ViolationCollector in the method annotated with @SelfValidation. Consider using the addViolation methods supporting message parameters instead of EL expressions introduced in Dropwizard 1.3.21 and 2.0.3. As a temporary workaround, consider disabling the self-validating feature until a patch is available. Restrict access to the self-validating module to minimize the risk of exploitation. Avoid using the self-validating feature in dropwizard-validation until the issue is resolved.