CVE-2020-11002

CVE-2020-11002 is a high-severity security vulnerability in io.dropwizard:dropwizard-validation (maven), affecting versions < 1.3.21. It is fixed in 1.3.21, 2.0.3.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Remote Code Execution (RCE) vulnerability in dropwizard-validation

A server-side template injection was identified in the self-validating (@SelfValidating) feature of dropwizard-validation enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability.

If you're using a self-validating bean (via @SelfValidating), an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended.

The changes introduced in Dropwizard 1.3.19 and 2.0.2 (see GHSA-3mcp-9wr4-cjqf/CVE-2020-5245) unfortunately didn't fix the underlying issue completely.

Workarounds

If you are not able to upgrade to one of the aforementioned versions of dropwizard-validation but still want to use the @SelfValidating feature, make sure to properly sanitize any message you're adding to the ViolationCollector in the method annotated with @SelfValidation.

Example:

@SelfValidation
public void validateFullName(ViolationCollector col) {
    if (fullName.contains("_")) {
        // Sanitize fullName variable by escaping relevant characters such as "$"
        col.addViolation("Full name contains invalid characters:  " + sanitizeJavaEl(fullName));
    }
}

See also:
https://github.com/dropwizard/dropwizard/blob/v2.0.3/dropwizard-validation/src/main/java/io/dropwizard/validation/InterpolationHelper.java

References

For more information

If you have any questions or comments about this advisory:

Security contact

If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our security policy:

https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability

Impact

This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary Java Expression Language (EL) expressions when using the self-validating feature (@SelfValidating, @SelfValidation) in dropwizard-validation.

CVE-2020-11002 has a CVSS score of 8.0 (High). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.3.21, 2.0.3); upgrading removes the vulnerable code path.

Affected versions

io.dropwizard:dropwizard-validation (< 1.3.21) io.dropwizard:dropwizard-validation (>= 2.0.0, < 2.0.3)

Security releases

io.dropwizard:dropwizard-validation → 1.3.21 (maven) io.dropwizard:dropwizard-validation → 2.0.3 (maven)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.

The evaluation of EL expressions has been disabled by default now.

In order to use some interpolation in the violation messages added to ViolationCollector, it has to be explicitly allowed by setting SelfValidating#escapeExpressions() to false.

It is also recommended to use the addViolation methods supporting message parameters instead of EL expressions introduced in Dropwizard 1.3.21 and 2.0.3:

Frequently Asked Questions

  1. What is CVE-2020-11002? CVE-2020-11002 is a high-severity security vulnerability in io.dropwizard:dropwizard-validation (maven), affecting versions < 1.3.21. It is fixed in 1.3.21, 2.0.3.
  2. How severe is CVE-2020-11002? CVE-2020-11002 has a CVSS score of 8.0 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of io.dropwizard:dropwizard-validation are affected by CVE-2020-11002? io.dropwizard:dropwizard-validation (maven) versions < 1.3.21 is affected.
  4. Is there a fix for CVE-2020-11002? Yes. CVE-2020-11002 is fixed in 1.3.21, 2.0.3. Upgrade to this version or later.
  5. Is CVE-2020-11002 exploitable, and should I be worried? Whether CVE-2020-11002 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2020-11002 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2020-11002?
    • Upgrade io.dropwizard:dropwizard-validation to 1.3.21 or later
    • Upgrade io.dropwizard:dropwizard-validation to 2.0.3 or later

Other vulnerabilities in io.dropwizard:dropwizard-validation

Stop the waste.
Protect your environment with Kodem.