Description

Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.

Remediation

References

https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md

Related Vulnerabilities

CVE-2015-8851 Vulnerability in maven package org.webjars:node-uuid

CVE-2022-31183 Vulnerability in maven package co.fs2:fs2-io_sjs1_2.13

CVE-2016-3720 Vulnerability in maven package com.fasterxml.jackson.dataformat:jackson-dataformat-xml

CVE-2017-3159 Vulnerability in maven package org.apache.camel:camel-snakeyaml

CVE-2019-13127 Vulnerability in maven package org.webjars.bowergithub.jgraph:mxgraph

Severity

Critical

Classification

CWE-917 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory