cvelist/2020/5xxx/CVE-2020-5245.json

{
    "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-5245",
        "STATE": "PUBLIC",
        "TITLE": "Remote Code Execution (RCE) vulnerability in dropwizard-validation"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "dropwizard-validation",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_value": "< 1.3.19"
                                        },
                                        {
                                            "version_value": ">= 2.0.0, < 2.0.2"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "dropwizard"
                }
            ]
        }
    },
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2."
            }
        ]
    },
    "impact": {
        "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.9,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",
            "version": "3.1"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf",
                "refsource": "CONFIRM",
                "url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"
            },
            {
                "name": "https://github.com/dropwizard/dropwizard/pull/3157",
                "refsource": "MISC",
                "url": "https://github.com/dropwizard/dropwizard/pull/3157"
            },
            {
                "name": "https://github.com/dropwizard/dropwizard/pull/3160",
                "refsource": "MISC",
                "url": "https://github.com/dropwizard/dropwizard/pull/3160"
            },
            {
                "name": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634",
                "refsource": "MISC",
                "url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"
            },
            {
                "name": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation",
                "refsource": "MISC",
                "url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"
            },
            {
                "name": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions",
                "refsource": "MISC",
                "url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"
            },
            {
                "name": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm",
                "refsource": "MISC",
                "url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"
            },
            {
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            }
        ]
    },
    "source": {
        "advisory": "GHSA-3mcp-9wr4-cjqf",
        "discovery": "UNKNOWN"
    }
}
"-Synchronized-Data." 2020-01-02 21:01:04 +00:00			`{`
			`"CVE_data_meta": {`
add CVE-2020-5245 for GHSA-3mcp-9wr4-cjqf 2020-02-24 10:30:13 -07:00			`"ASSIGNER": "security-advisories@github.com",`
"-Synchronized-Data." 2020-01-02 21:01:04 +00:00			`"ID": "CVE-2020-5245",`
add CVE-2020-5245 for GHSA-3mcp-9wr4-cjqf 2020-02-24 10:30:13 -07:00			`"STATE": "PUBLIC",`
			`"TITLE": "Remote Code Execution (RCE) vulnerability in dropwizard-validation"`
"-Synchronized-Data." 2020-01-02 21:01:04 +00:00			`},`
add CVE-2020-5245 for GHSA-3mcp-9wr4-cjqf 2020-02-24 10:30:13 -07:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "dropwizard-validation",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_value": "< 1.3.19"`
			`},`
			`{`
			`"version_value": ">= 2.0.0, < 2.0.2"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "dropwizard"`
			`}`
			`]`
			`}`
			`},`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2020-01-02 21:01:04 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2020-02-24 18:01:16 +00:00			`"value": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2."`
add CVE-2020-5245 for GHSA-3mcp-9wr4-cjqf 2020-02-24 10:30:13 -07:00			`}`
			`]`
			`},`
			`"impact": {`
			`"cvss": {`
			`"attackComplexity": "HIGH",`
			`"attackVector": "NETWORK",`
			`"availabilityImpact": "LOW",`
			`"baseScore": 7.9,`
			`"baseSeverity": "HIGH",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "HIGH",`
			`"privilegesRequired": "LOW",`
			`"scope": "CHANGED",`
			`"userInteraction": "REQUIRED",`
			`"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",`
			`"version": "3.1"`
			`}`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"`
			`}`
			`]`
"-Synchronized-Data." 2020-01-02 21:01:04 +00:00			`}`
			`]`
add CVE-2020-5245 for GHSA-3mcp-9wr4-cjqf 2020-02-24 10:30:13 -07:00			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"name": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf",`
			`"refsource": "CONFIRM",`
			`"url": "https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"`
			`},`
			`{`
			`"name": "https://github.com/dropwizard/dropwizard/pull/3157",`
			`"refsource": "MISC",`
			`"url": "https://github.com/dropwizard/dropwizard/pull/3157"`
			`},`
			`{`
			`"name": "https://github.com/dropwizard/dropwizard/pull/3160",`
			`"refsource": "MISC",`
			`"url": "https://github.com/dropwizard/dropwizard/pull/3160"`
			`},`
			`{`
			`"name": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634",`
			`"refsource": "MISC",`
			`"url": "https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"`
			`},`
			`{`
			`"name": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation",`
			`"refsource": "MISC",`
			`"url": "https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"`
			`},`
			`{`
			`"name": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions",`
			`"refsource": "MISC",`
			`"url": "https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"`
			`},`
			`{`
			`"name": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm",`
			`"refsource": "MISC",`
			`"url": "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"`
Oracle Critical Patch Updates 3rd party CVEs part 1 Committer: Bill Situ <bill.situ@oracle.com> On branch cna/Oracle/CPU2022Apr3rdPart1 Changes to be committed: modified: 2012/5xxx/CVE-2012-5351.json modified: 2013/4xxx/CVE-2013-4002.json modified: 2014/0xxx/CVE-2014-0097.json modified: 2016/10xxx/CVE-2016-10228.json modified: 2017/1000xxx/CVE-2017-1000353.json modified: 2017/14xxx/CVE-2017-14159.json modified: 2017/17xxx/CVE-2017-17740.json modified: 2017/9xxx/CVE-2017-9287.json modified: 2018/1000xxx/CVE-2018-1000067.json modified: 2018/1000xxx/CVE-2018-1000068.json modified: 2018/1000xxx/CVE-2018-1000192.json modified: 2018/1000xxx/CVE-2018-1000193.json modified: 2018/1000xxx/CVE-2018-1000194.json modified: 2018/1000xxx/CVE-2018-1000195.json modified: 2018/11xxx/CVE-2018-11212.json modified: 2018/1999xxx/CVE-2018-1999001.json modified: 2018/1999xxx/CVE-2018-1999002.json modified: 2018/1999xxx/CVE-2018-1999003.json modified: 2018/1999xxx/CVE-2018-1999004.json modified: 2018/1999xxx/CVE-2018-1999005.json modified: 2018/1999xxx/CVE-2018-1999007.json modified: 2018/1xxx/CVE-2018-1285.json modified: 2018/6xxx/CVE-2018-6356.json modified: 2018/8xxx/CVE-2018-8032.json modified: 2019/0xxx/CVE-2019-0227.json modified: 2019/1003xxx/CVE-2019-1003049.json modified: 2019/1003xxx/CVE-2019-1003050.json modified: 2019/10xxx/CVE-2019-10086.json modified: 2019/10xxx/CVE-2019-10247.json modified: 2019/10xxx/CVE-2019-10383.json modified: 2019/10xxx/CVE-2019-10384.json modified: 2019/12xxx/CVE-2019-12086.json modified: 2019/12xxx/CVE-2019-12399.json modified: 2019/12xxx/CVE-2019-12402.json modified: 2019/13xxx/CVE-2019-13038.json modified: 2019/13xxx/CVE-2019-13057.json modified: 2019/13xxx/CVE-2019-13565.json modified: 2019/14xxx/CVE-2019-14822.json modified: 2019/14xxx/CVE-2019-14862.json modified: 2019/16xxx/CVE-2019-16785.json modified: 2019/16xxx/CVE-2019-16786.json modified: 2019/16xxx/CVE-2019-16789.json modified: 2019/16xxx/CVE-2019-16792.json modified: 2019/17xxx/CVE-2019-17195.json modified: 2019/17xxx/CVE-2019-17571.json modified: 2019/18xxx/CVE-2019-18276.json modified: 2019/20xxx/CVE-2019-20388.json modified: 2019/20xxx/CVE-2019-20916.json modified: 2019/25xxx/CVE-2019-25013.json modified: 2019/3xxx/CVE-2019-3738.json modified: 2019/3xxx/CVE-2019-3739.json modified: 2019/3xxx/CVE-2019-3740.json modified: 2019/3xxx/CVE-2019-3799.json modified: 2019/9xxx/CVE-2019-9169.json modified: 2020/10xxx/CVE-2020-10531.json modified: 2020/10xxx/CVE-2020-10543.json modified: 2020/10xxx/CVE-2020-10693.json modified: 2020/10xxx/CVE-2020-10878.json modified: 2020/11xxx/CVE-2020-11022.json modified: 2020/11xxx/CVE-2020-11023.json modified: 2020/11xxx/CVE-2020-11080.json modified: 2020/11xxx/CVE-2020-11612.json modified: 2020/11xxx/CVE-2020-11971.json modified: 2020/11xxx/CVE-2020-11979.json modified: 2020/12xxx/CVE-2020-12243.json modified: 2020/12xxx/CVE-2020-12723.json modified: 2020/13xxx/CVE-2020-13434.json modified: 2020/13xxx/CVE-2020-13543.json modified: 2020/13xxx/CVE-2020-13935.json modified: 2020/13xxx/CVE-2020-13936.json modified: 2020/13xxx/CVE-2020-13954.json modified: 2020/13xxx/CVE-2020-13956.json modified: 2020/14xxx/CVE-2020-14155.json modified: 2020/14xxx/CVE-2020-14340.json modified: 2020/14xxx/CVE-2020-14343.json modified: 2020/15xxx/CVE-2020-15250.json modified: 2020/15xxx/CVE-2020-15358.json modified: 2020/15xxx/CVE-2020-15719.json modified: 2020/16xxx/CVE-2020-16135.json modified: 2020/17xxx/CVE-2020-17521.json modified: 2020/17xxx/CVE-2020-17527.json modified: 2020/17xxx/CVE-2020-17530.json modified: 2020/1xxx/CVE-2020-1968.json modified: 2020/1xxx/CVE-2020-1971.json modified: 2020/24xxx/CVE-2020-24616.json modified: 2020/24xxx/CVE-2020-24750.json modified: 2020/24xxx/CVE-2020-24977.json modified: 2020/25xxx/CVE-2020-25638.json modified: 2020/25xxx/CVE-2020-25648.json modified: 2020/25xxx/CVE-2020-25649.json modified: 2020/25xxx/CVE-2020-25659.json modified: 2020/26xxx/CVE-2020-26217.json modified: 2020/27xxx/CVE-2020-27218.json modified: 2020/27xxx/CVE-2020-27618.json modified: 2020/28xxx/CVE-2020-28052.json modified: 2020/28xxx/CVE-2020-28196.json modified: 2020/28xxx/CVE-2020-28895.json modified: 2020/29xxx/CVE-2020-29363.json modified: 2020/29xxx/CVE-2020-29582.json modified: 2020/35xxx/CVE-2020-35198.json modified: 2020/35xxx/CVE-2020-35490.json modified: 2020/35xxx/CVE-2020-35491.json modified: 2020/35xxx/CVE-2020-35728.json modified: 2020/36xxx/CVE-2020-36179.json modified: 2020/36xxx/CVE-2020-36180.json modified: 2020/36xxx/CVE-2020-36181.json modified: 2020/36xxx/CVE-2020-36182.json modified: 2020/36xxx/CVE-2020-36183.json modified: 2020/36xxx/CVE-2020-36184.json modified: 2020/36xxx/CVE-2020-36185.json modified: 2020/36xxx/CVE-2020-36186.json modified: 2020/36xxx/CVE-2020-36187.json modified: 2020/36xxx/CVE-2020-36188.json modified: 2020/36xxx/CVE-2020-36189.json modified: 2020/36xxx/CVE-2020-36242.json modified: 2020/36xxx/CVE-2020-36518.json modified: 2020/5xxx/CVE-2020-5245.json modified: 2020/5xxx/CVE-2020-5413.json modified: 2020/5xxx/CVE-2020-5421.json modified: 2020/6xxx/CVE-2020-6950.json modified: 2020/7xxx/CVE-2020-7226.json modified: 2020/7xxx/CVE-2020-7595.json modified: 2020/7xxx/CVE-2020-7760.json modified: 2020/8xxx/CVE-2020-8172.json modified: 2020/8xxx/CVE-2020-8174.json modified: 2020/8xxx/CVE-2020-8203.json modified: 2020/8xxx/CVE-2020-8231.json modified: 2020/8xxx/CVE-2020-8277.json modified: 2020/8xxx/CVE-2020-8284.json modified: 2020/8xxx/CVE-2020-8285.json modified: 2020/8xxx/CVE-2020-8286.json modified: 2020/8xxx/CVE-2020-8554.json modified: 2020/8xxx/CVE-2020-8908.json modified: 2020/9xxx/CVE-2020-9488.json modified: 2021/20xxx/CVE-2021-20289.json modified: 2021/21xxx/CVE-2021-21275.json modified: 2021/21xxx/CVE-2021-21290.json modified: 2021/21xxx/CVE-2021-21295.json modified: 2021/21xxx/CVE-2021-21409.json modified: 2021/21xxx/CVE-2021-21703.json modified: 2021/22xxx/CVE-2021-22060.json modified: 2021/22xxx/CVE-2021-22096.json modified: 2021/22xxx/CVE-2021-22118.json modified: 2021/22xxx/CVE-2021-22132.json modified: 2021/22xxx/CVE-2021-22134.json modified: 2021/22xxx/CVE-2021-22144.json modified: 2021/22xxx/CVE-2021-22145.json modified: 2021/22xxx/CVE-2021-22569.json modified: 2021/22xxx/CVE-2021-22570.json modified: 2021/22xxx/CVE-2021-22696.json 2022-04-19 16:10:05 -07:00			`},`
			`{`
			`"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"`
add CVE-2020-5245 for GHSA-3mcp-9wr4-cjqf 2020-02-24 10:30:13 -07:00			`}`
			`]`
			`},`
			`"source": {`
			`"advisory": "GHSA-3mcp-9wr4-cjqf",`
			`"discovery": "UNKNOWN"`
"-Synchronized-Data." 2020-01-02 21:01:04 +00:00			`}`
"-Synchronized-Data." 2020-02-24 18:01:16 +00:00			`}`