CVE-2020-5245 - Vulnerability Details - OpenCVE

Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dropwizard	Dropwizard Validation
Oracle	Blockchain Platform

Configuration 1 [-]

OR	cpe:2.3:a:dropwizard:dropwizard_validation::::::::
	cpe:2.3:a:dropwizard:dropwizard_validation::::::::

Configuration 2 [-]

cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation
https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions
https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm
https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236
https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634
https://github.com/dropwizard/dropwizard/pull/3157
https://github.com/dropwizard/dropwizard/pull/3160
https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf

History

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.04864}`	epss `{'score': 0.04339}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-02-24T17:35:20

Updated: 2024-08-04T08:22:09.091Z

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5245

Vulnrichment

Updated: 2024-08-04T08:22:09.091Z

NVD

Status : Modified

Published: 2020-02-24T18:15:22.477

Modified: 2024-11-21T05:33:45.297

Link: CVE-2020-5245

Redhat

No data.

{"containers": {"cna": {"title": "Remote Code Execution (RCE) vulnerability in dropwizard-validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"}, {"name": "https://github.com/dropwizard/dropwizard/pull/3157", "tags": ["x_refsource_MISC"], "url": "https://github.com/dropwizard/dropwizard/pull/3157"}, {"name": "https://github.com/dropwizard/dropwizard/pull/3160", "tags": ["x_refsource_MISC"], "url": "https://github.com/dropwizard/dropwizard/pull/3160"}, {"name": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236", "tags": ["x_refsource_MISC"], "url": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236"}, {"name": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634", "tags": ["x_refsource_MISC"], "url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"}, {"name": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation", "tags": ["x_refsource_MISC"], "url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"}, {"name": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions", "tags": ["x_refsource_MISC"], "url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"}, {"name": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm", "tags": ["x_refsource_MISC"], "url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"}], "affected": [{"vendor": "dropwizard", "product": "dropwizard-validation", "versions": [{"version": ">= 1.3.0, < 1.3.19", "status": "affected"}, {"version": ">= 2.0.0, < 2.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-05T16:42:31.207Z"}, "descriptions": [{"lang": "en", "value": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.\n\nThe issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2."}], "source": {"advisory": "GHSA-3mcp-9wr4-cjqf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T14:57:55.801469Z", "id": "CVE-2020-5245", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T14:58:08.864Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.091Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"}, {"name": "https://github.com/dropwizard/dropwizard/pull/3157", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dropwizard/dropwizard/pull/3157"}, {"name": "https://github.com/dropwizard/dropwizard/pull/3160", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dropwizard/dropwizard/pull/3160"}, {"name": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236"}, {"name": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"}, {"name": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"}, {"name": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"}, {"name": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5245", "datePublished": "2020-02-24T17:35:20", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:09.091Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf", "name": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/dropwizard/dropwizard/pull/3157", "name": "https://github.com/dropwizard/dropwizard/pull/3157", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/dropwizard/dropwizard/pull/3160", "name": "https://github.com/dropwizard/dropwizard/pull/3160", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236", "name": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634", "name": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation", "name": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions", "name": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm", "name": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.091Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-5245", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-06T14:57:55.801469Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T14:58:03.428Z"}}], "cna": {"title": "Remote Code Execution (RCE) vulnerability in dropwizard-validation", "source": {"advisory": "GHSA-3mcp-9wr4-cjqf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dropwizard", "product": "dropwizard-validation", "versions": [{"status": "affected", "version": ">= 1.3.0, < 1.3.19"}, {"status": "affected", "version": ">= 2.0.0, < 2.0.2"}]}], "references": [{"url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf", "name": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dropwizard/dropwizard/pull/3157", "name": "https://github.com/dropwizard/dropwizard/pull/3157", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dropwizard/dropwizard/pull/3160", "name": "https://github.com/dropwizard/dropwizard/pull/3160", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236", "name": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634", "name": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634", "tags": ["x_refsource_MISC"]}, {"url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation", "name": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions", "name": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm", "name": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.\n\nThe issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-05T16:42:31.207Z"}}}, "cveMetadata": {"cveId": "CVE-2020-5245", "state": "PUBLISHED", "dateUpdated": "2024-08-04T08:22:09.091Z", "dateReserved": "2020-01-02T00:00:00", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2020-02-24T17:35:20", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dropwizard:dropwizard_validation:*:*:*:*:*:*:*:*", "matchCriteriaId": "6093F68F-E2FF-4A25-A709-79F315833DEF", "versionEndExcluding": "1.3.19", "vulnerable": true}, {"criteria": "cpe:2.3:a:dropwizard:dropwizard_validation:*:*:*:*:*:*:*:*", "matchCriteriaId": "4522F31B-974E-4957-8A49-6B396C810720", "versionEndExcluding": "2.0.2", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0DBC938-A782-433F-8BF1-CA250C332AA7", "versionEndExcluding": "21.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.\n\nThe issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2."}, {"lang": "es", "value": "Dropwizard-Validation versiones anteriores a 1.3.19 y 2.0.2, puede permitir una ejecuci\u00f3n de c\u00f3digo arbitraria en el host system, con los privilegios de la cuenta de servicio de Dropwizard, mediante la inyecci\u00f3n de expresiones arbitrarias de Java Expression Language cuando se utiliza la funcionalidad self-validating. El problema se ha corregido en dropwizard-validation versiones 1.3.19 y 2.0.2."}], "id": "CVE-2020-5245", "lastModified": "2024-11-21T05:33:45.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-24T18:15:22.477", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"}, {"source": "security-advisories@github.com", "url": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/pull/3157"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/pull/3160"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/pull/3157"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/pull/3160"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}