CVE-2020-11002: 
Java vulnerability analysis and mitigation

A server-side template injection vulnerability was identified in dropwizard-validation before versions 2.0.3 and 1.3.21 (CVE-2020-11002). The vulnerability was discovered in the self-validating feature, which enabled attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE). This vulnerability was a follow-up to a previous incomplete fix (CVE-2020-5245) implemented in versions 1.3.19 and 2.0.2 (GitHub Advisory).

The vulnerability exists in the self-validating (@SelfValidating) feature of dropwizard-validation, where message interpolation in ConstraintViolations could be exploited through template injection. The issue allows attackers to inject and execute arbitrary Java Expression Language (EL) expressions when using the self-validating feature (@SelfValidating, @SelfValidation). The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to execute arbitrary code on the host system with the privileges of the Dropwizard service account. This remote code execution capability presents a significant security risk as it could lead to complete system compromise within the context of the application's permissions (GitHub Advisory).

The issue has been fixed in dropwizard-validation versions 1.3.21 and 2.0.3 or later. The fix includes disabling EL expression evaluation by default and introducing new addViolation methods that support message parameters instead of EL expressions. For users unable to upgrade, a workaround involves properly sanitizing any message added to the ViolationCollector in methods annotated with @SelfValidation. The fix also includes the option to explicitly allow expression interpolation through SelfValidating#escapeExpressions() (GitHub Advisory).