Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: netflix
Published: 2020-06-16T13:19:56
Updated: 2024-08-04T10:26:16.063Z
Reserved: 2020-02-19T00:00:00
Link: CVE-2020-9296
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-06-16T14:15:11.867
Modified: 2024-11-21T05:40:22.460
Link: CVE-2020-9296
Redhat
No data.