CVE-2020-5245: 
Java vulnerability analysis and mitigation

Dropwizard-Validation before versions 1.3.19 and 2.0.2 contained a server-side template injection vulnerability in its self-validating feature that could allow arbitrary code execution on the host system with the privileges of the Dropwizard service account. The vulnerability was discovered in early 2020 and tracked as CVE-2020-5245. The issue specifically affected the @SelfValidating feature which allowed attackers to inject arbitrary Java Expression Language (EL) expressions (GitHub Advisory).

The vulnerability existed in the ViolationCollector component of dropwizard-validation, which failed to properly escape Java Expression Language (EL) expressions in validation messages. This allowed attackers to inject malicious EL expressions that could be executed when using the self-validating feature through @SelfValidating and @SelfValidation annotations. The issue was fixed by implementing proper escaping of EL expressions in the ViolationCollector class (GitHub Commit).

The vulnerability could allow attackers to execute arbitrary code on the host system with the same privileges as the Dropwizard service account. This remote code execution capability posed a significant security risk to systems running vulnerable versions of the software (GitHub Advisory).

The primary mitigation is to upgrade to dropwizard-validation version 1.3.19 or 2.0.2 which contain the fix. For users unable to upgrade, a workaround involves properly sanitizing any messages added to the ViolationCollector in methods annotated with @SelfValidation by escaping relevant characters such as '$'. The fix implemented in the patched versions includes proper escaping of EL expressions in the ViolationCollector class (GitHub Advisory).