Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.
CPE | Name | Operator | Version |
---|---|---|---|
dropwizard_validation | lt | 1.3.19 | |
dropwizard_validation | ge | 2.0.0 | |
dropwizard_validation | lt | 2.0.2 | |
blockchain_platform | lt | 21.1.2 |
beanvalidation.org/2.0/spec/
docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/
docs.oracle.com/javaee/7/tutorial/jsf-el.htm
github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634
github.com/dropwizard/dropwizard/pull/3157
github.com/dropwizard/dropwizard/pull/3160
github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf
www.oracle.com/security-alerts/cpuapr2022.html