CVE-2020-11002
CVE-2020-11002 is a high-severity vulnerability in Dropwizard Dropwizard Validation with a CVSS 3.x base score of 8.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-74.
Key facts
- Severity: High (CVSS 3.x base score 8.0)
- CVSS v2: 9.0
- EPSS exploit prediction: 5% (91st percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-74
- Affected product: Dropwizard Dropwizard Validation
- Published:
- Last modified:
Description
dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.
Frequently asked questions
- What is CVE-2020-11002?
- dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.
- How severe is CVE-2020-11002?
- CVE-2020-11002 has a CVSS 3.x base score of 8.0, rated high severity. It is exploitable over network with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2020-11002 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 5% (91st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-11002?
- CVE-2020-11002 affects Dropwizard Dropwizard Validation. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2020-11002?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2020-11002 published?
- CVE-2020-11002 was published on 2020-04-10 and last updated on 2026-06-17.
References
- https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext
- https://github.com/dropwizard/dropwizard/commit/d5a512f7abf965275f2a6b913ac4fe778e424242
- https://github.com/dropwizard/dropwizard/pull/3208
- https://github.com/dropwizard/dropwizard/pull/3209
- https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf
- https://github.com/dropwizard/dropwizard/security/advisories/GHSA-8jpx-m2wh-2v34
- https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability
Affected products (1)
- cpe:2.3:a:dropwizard:dropwizard_validation:*:*:*:*:*:*:*:*
More vulnerabilities in Dropwizard Dropwizard Validation
- CVE-2020-5245 — High (CVSS 7.9): Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the…
All CVEs affecting Dropwizard Dropwizard Validation →
Other CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities
- CVE-2026-25586 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty…
- CVE-2026-25520 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped.…
- CVE-2025-20265 — Critical (CVSS 10.0): A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2025-20337 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2025-20281 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2024-42472 — Critical (CVSS 10.0): Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious…
Browse all CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities →