CVE-2020-9297

Name of the Vulnerable Software and Affected Versions Netflix Titus versions prior to v0.1.1-rc.274

Description The issue concerns the use of Java Bean Validation custom constraint validators in Netflix Titus. It allows for the injection of arbitrary data into error message templates, which can lead to the execution of arbitrary Java code if an attacker can inject data into the template passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument. This is due to the support of various interpolation types, including Java EL expressions, when building custom constraint violation error messages.

Recommendations For Netflix Titus versions prior to v0.1.1-rc.274, update to version v0.1.1-rc.274 or later to resolve the issue. As a temporary workaround, consider restricting the input data that can be injected into the error message template to minimize the risk of exploitation.