CVE-2020-9296 – com.netflix.conductor:conductor-core

Package

Manager: maven
Name: com.netflix.conductor:conductor-core
Vulnerable Version: >=0 <2.25.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00563 pctl0.67398

Details

Expression Language Injection in Netflix Conductor Netflix Conductor uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.

Metadata

Created: 2022-02-10T23:06:57Z
Modified: 2021-07-29T18:20:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-wfj5-2mqr-7jvv/GHSA-wfj5-2mqr-7jvv.json
CWE IDs: ["CWE-917"]
Alternative ID: GHSA-wfj5-2mqr-7jvv
Finding: F004
Auto approve: 1