Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdmajUtMm1xci03anZ2
Expression Language Injection in Netflix Conductor
Netflix Conductor uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.
Permalink: https://github.com/advisories/GHSA-wfj5-2mqr-7jvvJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdmajUtMm1xci03anZ2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-wfj5-2mqr-7jvv, CVE-2020-9296
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-9296
- https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-001.md
- https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md
- https://github.com/advisories/GHSA-wfj5-2mqr-7jvv
Blast Radius: 10.2
Affected Packages
maven:com.netflix.conductor:conductor-core
Dependent packages: 50Dependent repositories: 11
Downloads:
Affected Version Ranges: <= 2.25.3
Fixed in: 2.25.4
All affected versions: 0.0.4, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.10.0, 1.10.1, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 1.10.16, 1.10.17, 1.10.18, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.11, 1.12.12, 1.12.13, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.10.2, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.13.0, 2.13.5, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.14.4, 2.14.5, 2.14.6, 2.14.7, 2.15.0, 2.15.1, 2.15.2, 2.16.0, 2.16.2, 2.16.3, 2.16.4, 2.17.0, 2.18.0, 2.19.0, 2.20.0, 2.21.0, 2.21.1, 2.21.2, 2.22.0, 2.22.1, 2.22.2, 2.22.3, 2.22.4, 2.22.5, 2.22.6, 2.23.0, 2.24.0, 2.25.0, 2.25.1, 2.25.3
All unaffected versions: 2.25.4, 2.25.5, 2.25.6, 2.25.7, 2.25.8, 2.25.9, 2.25.10, 2.25.11, 2.26.0, 2.26.1, 2.27.0, 2.27.1, 2.27.2, 2.27.3, 2.27.4, 2.27.5, 2.27.6, 2.28.0, 2.28.1, 2.28.2, 2.28.3, 2.29.0, 2.29.1, 2.29.2, 2.29.3, 2.30.1, 2.30.2, 2.30.3, 2.30.4, 2.31.0, 2.31.1, 2.31.2, 2.31.3, 2.31.4, 2.31.5, 2.31.6, 2.31.7, 2.31.8, 2.31.9, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.7.0, 3.7.2, 3.7.3, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.13.0, 3.13.1, 3.13.2, 3.13.3, 3.13.5, 3.13.6, 3.13.7, 3.13.8, 3.14.0, 3.15.0