{"id":"CVE-2020-5245","details":"Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.\n\nThe issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.","aliases":["GHSA-3mcp-9wr4-cjqf"],"modified":"2026-04-12T00:01:29.999205Z","published":"2020-02-24T18:15:22.477Z","related":["GHSA-3mcp-9wr4-cjqf"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"fixed":"21.1.2"}],"cpe":"cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}]},"references":[{"type":"ADVISORY","url":"https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation"},{"type":"ADVISORY","url":"https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions"},{"type":"ADVISORY","url":"https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"},{"type":"FIX","url":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236"},{"type":"FIX","url":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634"},{"type":"FIX","url":"https://github.com/dropwizard/dropwizard/pull/3157"},{"type":"FIX","url":"https://github.com/dropwizard/dropwizard/pull/3160"},{"type":"EVIDENCE","url":"https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dropwizard/dropwizard","events":[{"introduced":"0"},{"fixed":"b91d891e04fcb0c0c0c4fc3f371d36c09c19ba2c"},{"introduced":"20050b10bc7fe88edff3ff320b4cea85c023f30d"},{"fixed":"60206ea15541869622623167c590276a6329f5b8"},{"fixed":"28479f743a9d0aab6d0e963fc07f3dd98e8c8236"},{"fixed":"d87d1e4f8e20f6494c0232bf8560c961b46db634"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.3.19"},{"introduced":"2.0.0"},{"fixed":"2.0.2"}],"cpe":"cpe:2.3:a:dropwizard:dropwizard_validation:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"]}}],"versions":["v0.0.1","v0.0.10","v0.0.10-1","v0.0.11","v0.0.11-1","v0.0.12","v0.0.13","v0.0.2","v0.0.2-fix-publishing","v0.0.3","v0.0.4","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.0.9","v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.2.0","v0.2.1","v0.3.0","v0.3.1","v0.4.0","v0.4.1","v0.4.2","v0.5.0","v0.5.1","v0.6.0","v0.6.1","v0.6.2","v0.7.0","v0.7.0-rc1","v0.7.0-rc2","v0.7.0-rc3","v0.8.0","v0.8.0-rc1","v0.8.0-rc2","v0.8.0-rc3","v0.8.0-rc4","v0.8.0-rc5","v0.8.1","v0.9.0","v0.9.0-rc1","v0.9.0-rc2","v0.9.0-rc3","v0.9.0-rc4","v0.9.0-rc5","v1.0.0","v1.0.0-rc1","v1.0.0-rc2","v1.0.0-rc3","v1.0.0-rc4","v1.2.0","v1.2.0-rc1","v1.2.0-rc2","v1.2.0-rc3","v1.2.0-rc4","v1.2.0-rc5","v1.2.0-rc6","v1.3.0","v1.3.0-rc1","v1.3.0-rc2","v1.3.0-rc3","v1.3.0-rc4","v1.3.0-rc5","v1.3.0-rc6","v1.3.0-rc7","v1.3.1","v1.3.10","v1.3.11","v1.3.12","v1.3.13","v1.3.14","v1.3.15","v1.3.16","v1.3.17","v1.3.18","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.3.7","v1.3.8","v1.3.9","v2.0.0","v2.0.1"],"database_specific":{"vanir_signatures":[{"deprecated":false,"digest":{"function_hash":"325704836430436545654921010030726845514","length":224},"target":{"function":"failingExample","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-004ab124"},{"deprecated":false,"digest":{"function_hash":"155449278774423337620709399144354331874","length":70},"target":{"function":"validateFail2","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-04378052"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["136448041769059862894844807665684969300","79958872375153508006783936415997242301","194165330049382532909201362947936401415","75228155750854051435593256672472015181","144902541354436957455378451643605673584","264091551558827828267832284611135324731","14896890172853010299135126523739484835","44307437610241292348751970242335303567","146050095505096120873622714987907613314","7520658898558252623117622252292418491","61562461763187306017491193298061328984","201950480667925961075325245368313601457","131098157773524596453661958720930080260","235183710204868488614557807181680144841","212027115055848128601672663922487924988","33151927883844365125700833818230299557","30392621042801199161480868028131045180","131657266952251206874538853702691523433","329851972362667844489266956304613921809","129180869473061051628269816833418500446","41748088916750526653643793667298784641","181106907806351714698297756308588446102","85877545788101691438802868311370990203","91229035760469397883649343193410265551","280903630463889196714539730302359976071","131125464265702161703045003378944805408","94605180782744655667157484889366927376","196736303771771850210679947120509087548","238455089750692925388465566609492816427","291415883297546766544952233605409540760","238177330881536150280105742986712493342","231963513706625717027911764788664863264","298452582449998968363994106087866805521","154477487988234575650569296366078909691","229032359673586700661385685607546193325","238455089750692925388465566609492816427","291415883297546766544952233605409540760","113782212761868713251802968571474283602","270591088668135585731507985894511930495","24133478918361608829850526986190075920","33145553068226632024307895758758016101","61726010982550794470989350498304805812","15992761685232273794806215682054438499","323188393804376808267125052451250926812","314959290318797042903070959230754470264","336546118620161329423077696954546033874","13837072896144318243063367604320270813","263834107791939893028649633312046746224","246334860592763881747132659569815303615","86180084031788514528925052810577992617","65260407663611095155517153087730197637","192494920417052614796435374166930153491","173699214215575690867182236084309904102","316283074488800105123883556500031964174","206675104151401888985546576487366612767","45052779314759683509013401482416706492","151410206264170964354687603647277578626","158381797366854878645987747098872477633","330722448752301932163893487168859765357","24357986612069057269952803010119933222","139044865252637973216193930402459877171","136053455062052796355887352068678131291","238684820536889933575082855664244820789","316524260285244666927422332339228004102","337823618082840433221834292352758758069","261834684998384195485716553786807956888","255537405458978443257648909056301553154","144665157605352805482477369350610972732","246445668056080603577105873854462361257","167873063609216252740955471560872308552","67806011801736149188441316792514791339","1433331493455158360482392052221043347","168687352164298414780927766224034710235","194598608399200717721310119099007388006","70500639224685348233795989421995224437","313667802375264537763077306410842916849","36134261723491899229936169361043093936","210739718002605194824974441005681655776","61162761198991035571691524805555662286","113271171888716419313965617521436754272","67806011801736149188441316792514791339","188856327478761063837576419854500338993","318032012110492612324391897307167473719","325457984895348859422298797892612880590","273755689666352209095782204863213586802","191603963795060448129165998800892013066","36134261723491899229936169361043093936","210739718002605194824974441005681655776","61162761198991035571691524805555662286","113271171888716419313965617521436754272","67806011801736149188441316792514791339","219099857822510354739858378263183237156","115739276403293164764386580283507042528","23627912777029367763367699512675903292","50670667737117035859233047614901788009","109001744205217698173370862249297459379","30548510291944496307526603007334438446","67806011801736149188441316792514791339","275138955721600444051781669452926315871","295022927503878515044849238487793396697","255349329120517614360307393458092997410","64261608805278119873769687376961200338","66756272832267866099150715325317428081","30548510291944496307526603007334438446","67806011801736149188441316792514791339","315772944723914186749361821387110638276","183967599642971128683148383548477329873","141728729300873348679030190491154346634","245427223716810362120585641312315685792","73994237107705450156580528611067067106","320157815646604460426129101898787777839","66756272832267866099150715325317428081","30548510291944496307526603007334438446","67806011801736149188441316792514791339","146992500165029883702531845004121457004","195893504532901428673859947648027780360","26779584587759739222305104788306813354","161648483088875717470992897580932345266","108073235143865713461382300309800728380","167873063609216252740955471560872308552","67806011801736149188441316792514791339","308465359324254750877489475202659873298","187239430132047394433479883792708514555","293653044229754459902574174645666598723","15975059790801332101288864304074436812","144996958565497093277141688304846260510","128145117633378916766278295903468440119","78511583011616843009395402177471243653","115015334955600003255387051789600436837","140220815921801194638898114601074408550","113271171888716419313965617521436754272","67806011801736149188441316792514791339","32784479081002470620770259429334754893","199648255824643145441483903837994630841","243462838995748733861982874043655126620","86956120344939107640654390279543971231","293168167634764366588023194502886616666","105207777691230318596912455274153011896","178365099898280813688131581394852078032","307075315832760320843098306888464742867","35542597879267364203518472829790657622","103782993477519601752238601230868498559","257563834586528145876587355815565481835","253250052058183438553317756057694845738","279155237282773640203601891950069450672","262710328152219428586947768610021016394","257722414246750986006679983055249940312","248649415955093180745874308716800693193","88173035409819849693361145368316745038","98140615960283502303643099845584118366","78533732892383935104767949723673840623","86914653949542650764823770778877806985","14556477129779954726571443666633220284","83104551259427782227825469089973753748","244306465463468069516752129530714981815","315188830080152358302492499144616071292","58688555864885598887954682319353153541","177232232637674541461473241408926486636","141161737185867889472275475901009962202","12493364095785565004229452381429804709","289086801670605201255421495798172910732","105207777691230318596912455274153011896","129236523268656829543612126852526691432","41049048021982830963087765131077298254","306263649862004215360875105866068292470","299472513022325453563835347504579712398","79723167706460700968848707349921915189","111355277700750110864179368050375561674","183565143109110434888570577310457343039"]},"target":{"file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Line","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-154b2461"},{"deprecated":false,"digest":{"function_hash":"12604168463531907052143972789308532016","length":374},"target":{"function":"giveWarningIfNoValidationMethods","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-22beb0bf"},{"deprecated":false,"digest":{"function_hash":"152312356327634912652304099317277448307","length":70},"target":{"function":"validateFail3","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-27406607"},{"deprecated":false,"digest":{"function_hash":"325704836430436545654921010030726845514","length":224},"target":{"function":"testDirectContextUsage","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-2c74e611"},{"deprecated":false,"digest":{"function_hash":"256546907903235822328420677509990738338","length":107},"target":{"function":"addViolation","file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-2ec3be5f"},{"deprecated":false,"digest":{"function_hash":"256546907903235822328420677509990738338","length":107},"target":{"function":"addViolation","file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236","signature_version":"v1","id":"CVE-2020-5245-363f1cf0"},{"deprecated":false,"digest":{"function_hash":"337331100131194965450880498587754083192","length":253},"target":{"function":"subClassExample","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-49e059dc"},{"deprecated":false,"digest":{"function_hash":"123295434583711151435481875634871255225","length":210},"target":{"function":"overridingSubClassExample","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-4bfc76a4"},{"deprecated":false,"digest":{"function_hash":"54725735918715980301854156837624796281","length":318},"target":{"function":"multipleTestingOfSameClass","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-576e06f5"},{"deprecated":false,"digest":{"function_hash":"317001071691288172143082047962896103411","length":255},"target":{"function":"multipleTestingOfSameClass","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236","signature_version":"v1","id":"CVE-2020-5245-77a78da6"},{"deprecated":false,"digest":{"function_hash":"155449278774423337620709399144354331874","length":70},"target":{"function":"validateFail2","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236","signature_version":"v1","id":"CVE-2020-5245-7ab29a83"},{"deprecated":false,"digest":{"function_hash":"288744354036271911199540800919978187659","length":160},"target":{"function":"testDirectContextUsage","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236","signature_version":"v1","id":"CVE-2020-5245-8db1552a"},{"deprecated":false,"digest":{"function_hash":"123295434583711151435481875634871255225","length":210},"target":{"function":"correctExample","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-999ccf5e"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["329145367710082673438120390506268279129","256216571023659825611332991140358806271","275543022392956080895316734143469645020","290667983915608011433504410296615255096","277127269047328885983639805998061375357","95769739322116653690677666277044153199","128830873498983736621094605760722719128","241865243302940904879625546700455034665","56144920502666030293687391378272715839","47211608564620720549726801243581363019"]},"target":{"file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java"},"signature_type":"Line","source":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236","signature_version":"v1","id":"CVE-2020-5245-9df8aaf5"},{"deprecated":false,"digest":{"function_hash":"329752630984766142528041816424168703260","length":274},"target":{"function":"complexExample","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-a5d32dd9"},{"deprecated":false,"digest":{"function_hash":"298748951140892893608950869291764962965","length":208},"target":{"function":"complexExample","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236","signature_version":"v1","id":"CVE-2020-5245-ae0dc635"},{"deprecated":false,"digest":{"function_hash":"288744354036271911199540800919978187659","length":160},"target":{"function":"failingExample","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236","signature_version":"v1","id":"CVE-2020-5245-b947546a"},{"deprecated":false,"digest":{"function_hash":"152312356327634912652304099317277448307","length":70},"target":{"function":"validateFail3","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236","signature_version":"v1","id":"CVE-2020-5245-b9fc2fcc"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["329145367710082673438120390506268279129","256216571023659825611332991140358806271","275543022392956080895316734143469645020","290667983915608011433504410296615255096","277127269047328885983639805998061375357","95769739322116653690677666277044153199","128830873498983736621094605760722719128","241865243302940904879625546700455034665","56144920502666030293687391378272715839","47211608564620720549726801243581363019"]},"target":{"file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java"},"signature_type":"Line","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-e2ec762c"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["255595182502313441245347413594526687205","105177334659823212738479695653406052992","310734404572315803244641908515214308237","83497445051260687290831644531857358185","41748088916750526653643793667298784641","181106907806351714698297756308588446102","323188393804376808267125052451250926812","314959290318797042903070959230754470264","336546118620161329423077696954546033874","13837072896144318243063367604320270813","67757900535847513539212785476842727105","107210273835676008048036133279335505530","155124161612340070348689314375051222076","108309771147180258690706346570759691086","115167078064456858403926092806449083301","96193288338055365149916687399577216547","106910745010164295629284103224220162073","195787071862972233045015335952692823081","64977659899495355625362790128424891672","240736646421036726486783766140039180261","22995584873280418063491368357336622530","263834107791939893028649633312046746224","246334860592763881747132659569815303615","86180084031788514528925052810577992617","65260407663611095155517153087730197637","192494920417052614796435374166930153491","173699214215575690867182236084309904102","316283074488800105123883556500031964174","206675104151401888985546576487366612767","45052779314759683509013401482416706492","151410206264170964354687603647277578626","158381797366854878645987747098872477633","330722448752301932163893487168859765357","24357986612069057269952803010119933222","139044865252637973216193930402459877171","136053455062052796355887352068678131291","238684820536889933575082855664244820789","316524260285244666927422332339228004102","337823618082840433221834292352758758069","261834684998384195485716553786807956888","146407665307039691216324962516951060237","329636333975112900101052826398210500982","3974946566039764661924196156549971893","141697157604180839622967481287140915665","295022927503878515044849238487793396697","255349329120517614360307393458092997410","118129338295100824109862352269041385394","323075872669173865653344162962513974584","315772944723914186749361821387110638276","183967599642971128683148383548477329873","141728729300873348679030190491154346634","245427223716810362120585641312315685792","73994237107705450156580528611067067106","14670489609655111085480076673807460171","323075872669173865653344162962513974584","146992500165029883702531845004121457004","195893504532901428673859947648027780360","72560277139128829507314080670867308390","257293151882727459217138322131405644236","329148670778169907206360602444057798352","90212057121428832588386358135149540326","187239430132047394433479883792708514555","197674761609303117603212700039216928433","81587324900420674085416062207027636761","105006182476214632680863493685813566800","156361273485474446061438354784019945405","128613723266909962337832377322581161888","338884658556223071940150127532356905306","209033535737036631365112367667402354539","215932613404291867439598704356490133924","288460508955636272100795185908903252924","177232232637674541461473241408926486636","141161737185867889472275475901009962202","25140581394508153811669366586558376277","313610023888508866518708699384402518390"]},"target":{"file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Line","source":"https://github.com/dropwizard/dropwizard/commit/28479f743a9d0aab6d0e963fc07f3dd98e8c8236","signature_version":"v1","id":"CVE-2020-5245-e439dc3d"},{"deprecated":false,"digest":{"function_hash":"337331100131194965450880498587754083192","length":253},"target":{"function":"annotatedSubClassExample","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"},"signature_type":"Function","source":"https://github.com/dropwizard/dropwizard/commit/d87d1e4f8e20f6494c0232bf8560c961b46db634","signature_version":"v1","id":"CVE-2020-5245-f530f367"}],"vanir_signatures_modified":"2026-04-12T00:01:29Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-5245.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}