Netflix Titus, all versions prior to version v0.1.1-rc.274, uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: netflix
Published: 2020-07-14T19:07:54
Updated: 2024-08-04T10:26:15.938Z
Reserved: 2020-02-19T00:00:00
Link: CVE-2020-9297
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-07-14T20:15:11.877
Modified: 2024-11-21T05:40:22.563
Link: CVE-2020-9297
Redhat
No data.