{"id":"CVE-2020-11002","details":"dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.","aliases":["GHSA-8jpx-m2wh-2v34"],"modified":"2026-04-11T15:27:45.336591Z","published":"2020-04-10T19:15:13.007Z","related":["GHSA-3mcp-9wr4-cjqf","GHSA-8jpx-m2wh-2v34"],"references":[{"type":"ADVISORY","url":"https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability"},{"type":"ADVISORY","url":"https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext"},{"type":"ADVISORY","url":"https://github.com/dropwizard/dropwizard/security/advisories/GHSA-8jpx-m2wh-2v34"},{"type":"FIX","url":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242"},{"type":"FIX","url":"https://github.com/dropwizard/dropwizard/pull/3208"},{"type":"FIX","url":"https://github.com/dropwizard/dropwizard/pull/3209"},{"type":"EVIDENCE","url":"https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dropwizard/dropwizard","events":[{"introduced":"0"},{"fixed":"45575df553f0a93eb5b6b5c98e4471b590f1c884"},{"introduced":"20050b10bc7fe88edff3ff320b4cea85c023f30d"},{"fixed":"7cee3e11d29ec21f0073aa4ac03b08a4f2a0ef17"},{"fixed":"d5a512f7abf965275f2a6b913ac4fe778e424242"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.3.21"},{"introduced":"2.0.0"},{"fixed":"2.0.3"}]}}],"versions":["v0.0.1","v0.0.10","v0.0.10-1","v0.0.11","v0.0.11-1","v0.0.12","v0.0.13","v0.0.2","v0.0.2-fix-publishing","v0.0.3","v0.0.4","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.0.9","v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.2.0","v0.2.1","v0.3.0","v0.3.1","v0.4.0","v0.4.1","v0.4.2","v0.5.0","v0.5.1","v0.6.0","v0.6.1","v0.6.2","v0.7.0","v0.7.0-rc1","v0.7.0-rc2","v0.7.0-rc3","v0.8.0","v0.8.0-rc1","v0.8.0-rc2","v0.8.0-rc3","v0.8.0-rc4","v0.8.0-rc5","v0.8.1","v0.9.0","v0.9.0-rc1","v0.9.0-rc2","v0.9.0-rc3","v0.9.0-rc4","v0.9.0-rc5","v1.0.0","v1.0.0-rc1","v1.0.0-rc2","v1.0.0-rc3","v1.0.0-rc4","v1.2.0","v1.2.0-rc1","v1.2.0-rc2","v1.2.0-rc3","v1.2.0-rc4","v1.2.0-rc5","v1.2.0-rc6","v1.3.0","v1.3.0-rc1","v1.3.0-rc2","v1.3.0-rc3","v1.3.0-rc4","v1.3.0-rc5","v1.3.0-rc6","v1.3.0-rc7","v1.3.1","v1.3.10","v1.3.11","v1.3.12","v1.3.13","v1.3.14","v1.3.15","v1.3.16","v1.3.17","v1.3.18","v1.3.19","v1.3.2","v1.3.20","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.3.7","v1.3.8","v1.3.9","v2.0.0","v2.0.1","v2.0.2"],"database_specific":{"vanir_signatures":[{"id":"CVE-2020-11002-08961cf7","digest":{"line_hashes":["237477073483422869711792644078593743392","130116094889457048069625861029359631817","178893246982509623276947674013653871942","272968795373308329488401766999346480960","150347288721522895998147882093882279821","71555405284725656891455030201541917354"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Line","target":{"file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/SelfValidating.java"}},{"id":"CVE-2020-11002-0f8c3cb8","digest":{"function_hash":"295357535180942111584079566059387273918","length":39},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Function","target":{"function":"getContext","file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java"}},{"id":"CVE-2020-11002-2ebcc0bb","digest":{"function_hash":"272617686474050350553945379445453350592","length":238},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Function","target":{"function":"addViolation","file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java"}},{"id":"CVE-2020-11002-4f085f2a","digest":{"line_hashes":["63833770171588027254143146596182268418","322271341517370960639965247080858839597","200180262371603654978731870012350698181","189710317347697797940810585174131534197","24290860256456015953018651484739656794","223365485700870631133275706417440447668","232389813548388518005538882066513943568","333699592489486422695355284541494072427","327123903825597600697294939117966143489","62498004845366416521076177464558157664","275227611231813819525451824237603659954","15644322790770085130223163961215299497","164183045965873707589603725487552756505","88539103849018839497736663811413352311","212154721708278628286730384947111471063","115237170752840037750555586414084162614","14342806918317137368984212098792932713","100207482574839664559719439115973702509","132162650443787921822553258188240340946","332604969744018696683421703240083481716","162338355339334528700955374323778019131","174565407529223860298185689561422568493","178998742056486017641623647165070932387","338728107540202957498278251431941733468","21747005300663371014519664523782758341","291774450900761495971353762870441839792","332604969744018696683421703240083481716","55678212341141084710568861294303375396","231826533574350809418798321166895376082","151494410135948310344762038534132176164","284266493730636947410780998215311446860","191001894756924501542358569351226791466","222478245736283558315793169955101284842","332604969744018696683421703240083481716","297524352572179908618011423312002847142","73216488666645808750098127053029167231","133898263660581293766502691020126889846","97191818659513821898545223940812334835","2388086484874354066975364208986144710","55200846237265699244832833577715540192","142402807302010446979155179204368870743","41439034202295067064705035502479656591","325882402688647758836812002933699063637","339312146428513194485159938377237751189","113878488864283942754583211014997107572","124671146384762728046577074711776539914","310170793533364260146715696559237003032","67986819009057292597891052767717684862","51616280817112144615106935528296757733","334029437100021274535961959699936827206","63595152861165032570824080323664864124","108076457541468468711367856325614727748","43675064357671581264774104582361078133","8708471629514727394529439620486921293","331064817946065038716498055632982344957"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Line","target":{"file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java"}},{"id":"CVE-2020-11002-517e33c0","digest":{"function_hash":"57235333181764634860347919253250825813","length":138},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Function","target":{"function":"addViolation","file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java"}},{"id":"CVE-2020-11002-6dc7073a","digest":{"line_hashes":["152483298131086274874676553817158965151","169927176478208700169661318546709664446","239499522125274006253281948690624139275","144783195541451537315311714310746735936","202719571883373938823616960663295410012","318860548258749210299658737254021891228","146621998950113419703978969645115063346","298127350158990038874621945551860910456","228151278091776132717113806340375530143","205828799676835241782707511939704430756","258424042180035438040959971503119431281","56456066950253727930504230972976308320","328862887870869217413196652415683925591","265891644552644066186294867648715002111","21302024783868956640096950379753137577","177882159654149973379767510976966716467","195384528959961908348511840426078030883","16414237221503015364616801026053831677","276687141128842740345119455536307258964","116426007573046222162077341176477972889","163211006408731095808142259579840496748","230597749294579040596156760818971261376","193392800502209268885065515368049573517","216453565618702024974726308414883905612"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Line","target":{"file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"}},{"id":"CVE-2020-11002-9a3e99f9","digest":{"function_hash":"272617686474050350553945379445453350592","length":238},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Function","target":{"function":"addViolation","file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java"}},{"id":"CVE-2020-11002-a28af1c8","digest":{"function_hash":"204863141182004954883186473948509976982","length":294},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Function","target":{"function":"isValid","file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/SelfValidatingValidator.java"}},{"id":"CVE-2020-11002-aad171cc","digest":{"function_hash":"109060598230631908667273698007190470625","length":307},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Function","target":{"function":"violationMessagesAreEscaped","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"}},{"id":"CVE-2020-11002-b65a74df","digest":{"line_hashes":["215109247304904539856922437893813648194","174621090795565728135619536351546267387","201391811758586957897979632445823985974","147116733757733073451812520065053066137","71163791892188763812084433700610958803","45941169415708093336450198463778747568","40875617888971570178398309197841420013","299580407583143447167541449644537745036","151910095830571020476836741262593559035","97134543330518394252709409487867699769","262479040085963950519377279904012065108"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Line","target":{"file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/SelfValidatingValidator.java"}},{"id":"CVE-2020-11002-b8077fae","digest":{"function_hash":"101556795495388776281498111822201138552","length":249},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Function","target":{"function":"validateFail","file":"dropwizard-validation/src/test/java/io/dropwizard/validation/SelfValidationTest.java"}},{"id":"CVE-2020-11002-c1da59a8","digest":{"function_hash":"216190859915552726671707505792069809036","length":51},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Function","target":{"function":"ViolationCollector","file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java"}},{"id":"CVE-2020-11002-f37264f5","digest":{"function_hash":"215002168891366140282502783445859207296","length":349},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Function","target":{"function":"escapeEl","file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java"}},{"id":"CVE-2020-11002-f4a2fd83","digest":{"function_hash":"43457027298952709251665003175727025231","length":173},"signature_version":"v1","source":"https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242","deprecated":false,"signature_type":"Function","target":{"function":"addViolation","file":"dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11002.json","vanir_signatures_modified":"2026-04-11T15:27:45Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}