Description
Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.
Remediation
References
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md
Related Vulnerabilities
CVE-2018-15756 Vulnerability in maven package org.springframework:spring-web
CVE-2018-13003 Vulnerability in maven package net.opentsdb:opentsdb
CVE-2021-23490 Vulnerability in npm package parse-link-header
CVE-2023-26049 Vulnerability in maven package org.eclipse.jetty:jetty-server
CVE-2022-42466 Vulnerability in maven package org.apache.isis.viewer:isis-viewer-wicket-ui