Description
Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.
Remediation
References
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md
Related Vulnerabilities
CVE-2021-23395 Vulnerability in npm package nedb
CVE-2021-28170 Vulnerability in maven package org.glassfish:jakarta.el
CVE-2016-10569 Vulnerability in npm package embedza
CVE-2023-33202 Vulnerability in maven package org.bouncycastle:bcprov-jdk18on
CVE-2020-2184 Vulnerability in maven package org.jenkins-ci.plugins:cvs