Description
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.
Remediation
References
https://github.com/dropwizard/dropwizard/pull/3160
https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions
https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634
https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf
https://github.com/dropwizard/dropwizard/pull/3157
https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation
https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm
https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236
Related Vulnerabilities
CVE-2022-29230 Vulnerability in npm package @shopify/hydrogen
CVE-2023-26045 Vulnerability in npm package nodebb
CVE-2020-26256 Vulnerability in npm package @fast-csv/parse
CVE-2023-37460 Vulnerability in maven package org.codehaus.plexus:plexus-archiver
CVE-2021-31407 Vulnerability in maven package com.vaadin:flow-server