Description

Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.

Remediation

References

https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation

https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions

https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm

https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236

https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634

https://github.com/dropwizard/dropwizard/pull/3157

https://github.com/dropwizard/dropwizard/pull/3160

https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf

Related Vulnerabilities

CVE-2020-2275 Vulnerability in maven package org.jenkins-ci.plugins:copy-data-to-workspace-plugin

CVE-2022-21704 Vulnerability in npm package log4js

CVE-2023-25569 Vulnerability in maven package com.ctrip.framework.apollo:apollo

CVE-2022-31183 Vulnerability in maven package co.fs2:fs2-io_sjs1_3

CVE-2017-12197 Vulnerability in maven package org.kohsuke:libpam4j

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Patch Exploit