CVE-2020-5245

Name of the Vulnerable Software and Affected Versions Dropwizard-Validation versions prior to 1.3.19 Dropwizard-Validation versions prior to 2.0.2

Description The issue allows arbitrary code execution on the host system with the privileges of the Dropwizard service account by injecting arbitrary Java Expression Language expressions when using the self-validating feature. This is a server-side template injection vulnerability in the self-validating feature of dropwizard-validation, enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE).

Recommendations For Dropwizard-Validation versions prior to 1.3.19, upgrade to Dropwizard 1.3.19. For Dropwizard-Validation versions prior to 2.0.2, upgrade to Dropwizard 2.0.2. As a temporary workaround, consider properly sanitizing any message added to the ViolationCollector in the method annotated with @SelfValidation to prevent exploitation.