CVE-2020-9296

Name of the Vulnerable Software and Affected Versions Netflix Titus (affected versions not specified) Netflix Conductor (affected versions not specified)

Description The issue concerns the use of Java Bean Validation (JSR 380) custom constraint validators in Netflix Titus and Netflix Conductor. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.

Recommendations For Netflix Titus, consider restricting access to the ConstraintValidatorContext.buildConstraintViolationWithTemplate() function to minimize the risk of exploitation. For Netflix Conductor, consider restricting access to the ConstraintValidatorContext.buildConstraintViolationWithTemplate() function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.