dropwizard-validation is vulnerable to server-side template injection. The vulnerability exists as ViolationCollector
does not sanitize Java Expression Language (EL) expressions and accepts malicious Java EL expressions to be passed into the server-side template in the self-validating feature, allowing an attacker to execute arbitrary code on the server.
beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation
docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions
docs.oracle.com/javaee/7/tutorial/jsf-el.htm
github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236
github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634
github.com/dropwizard/dropwizard/issues/3153
github.com/dropwizard/dropwizard/pull/3157
github.com/dropwizard/dropwizard/pull/3160
github.com/dropwizard/dropwizard/releases
github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf
github.com/pwntester
www.oracle.com/security-alerts/cpuapr2022.html