44 matches found
cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution
A flaw was found in cron-utils. End applications passing unsanitized user input which is subsequently parsed by the @Cron annotation can allow an attacker to execute arbitrary expressions using JavaEL which will be implicitly executed by the constraint validator. The highest threat from this...
cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution
A flaw was found in cron-utils. End applications passing unsanitized user input which is subsequently parsed by the @Cron annotation can allow an attacker to execute arbitrary expressions using JavaEL which will be implicitly executed by the constraint validator. The highest threat from this...
BrowserUp Proxy Injection Vulnerability
Browserup Browserup Proxy is a software from Browserup, Inc. that is used to monitor, test, and manipulate the network traffic and performance of web applications. BrowserUp Proxy suffers from an injection vulnerability that can be exploited by an attacker to inject arbitrary Java EL expressions,...
Apache Syncope Injection Vulnerability
Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. An injection vulnerability exists in Apache Syncope versions 2.0.X prior t...
Remote Code Execution
Sonatype nxrm is vulnerable to remote code execution. The vulnerability allows high privilege users such as administrators to run arbitrary code on the server with Nexus process privileges by injecting arbitrary Java Expression Language EL expressions...
Nexus Repository Manager - Java EL Injection RCE (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Nexus Repository Manager Java EL Injection RCE', 'Description' = %q This module exploits a Java Expression Language EL injection in Nexus...
Nexus Repository Manager 3.21.1-01 Remote Code Execution Exploit
This Metasploit module exploits a Java Expression Language EL injection in Nexus Repository Manager versions up to and including 3.21.1 to execute code as the Nexus user. Tested against 3.21.1-01. This module requires Metasploit: https://metasploit.com/download Current source:...
Nexus Repository Manager 3.21.1-01 Remote Code Execution
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Nexus Repository Manager Java EL Injection RCE', 'Description' = %q This module exploits a Java Expression Language EL injection in Nexus...
Nexus Repository Manager Java EL Injection RCE
This module exploits a Java Expression Language EL injection in Nexus Repository Manager versions up to and including 3.21.1 to execute code as the Nexus user. This is a post-authentication vulnerability, so credentials are required to exploit the bug. Any user regardless of privilege level may b...
Server-Side Template Injection
dropwizard-validation is vulnerable to Server-Side Template Injection. The vulnerability exists as ViolationCollector does not sanitize Java Expression Language EL expressions and accepts malicious Java EL expressions to be passed into the server-side template in the self-validating feature,...
Remote Code Execution (RCE) vulnerability in dropwizard-validation
Summary A server-side template injection was identified in the self-validating @SelfValidating feature of dropwizard-validation enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution RCE vulnerability. If you're using a self-validating bean via @SelfValidatin...
CVE-2020-10199
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection issue 1 of 2...
Server-Side Template Injection
dropwizard-validation is vulnerable to server-side template injection. The vulnerability exists as ViolationCollector does not sanitize Java Expression Language EL expressions and accepts malicious Java EL expressions to be passed into the server-side template in the self-validating feature,...
CVE-2020-5245
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in...
CVE-2020-5245
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in...
Security feature bypass
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in...
CVE-2020-5245 Remote Code Execution (RCE) vulnerability in dropwizard-validation
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in...
CVE-2020-5245 Remote Code Execution (RCE) vulnerability in dropwizard-validation
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in...
GHSA-3MCP-9WR4-CJQF Remote Code Execution (RCE) vulnerability in dropwizard-validation
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. Summary A server-side template injection...
Remote Code Execution (RCE) vulnerability in dropwizard-validation
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. Summary A server-side template injection...