4 matches found
CVE-2020-9297
Netflix Titus, all versions prior to version v0.1.1-rc.274, uses Java Bean Validation JSR 380 custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary...
CVE-2020-9297
CVE-2020-9297 affects Netflix Titus prior to v0.1.1-rc.274. The issue arises when building custom constraint violation messages with ConstraintValidatorContext.buildConstraintViolationWithTemplate(); an attacker could inject arbitrary data into the error message template, enabling execution of ar...
CVE-2020-9296
CVE-2020-9296 affects Netflix Titus and Netflix Conductor through Java Bean Validation (JSR 380) custom constraint validators. The issue arises when building constraint violation messages via ConstraintValidatorContext.buildConstraintViolationWithTemplate(): attacker-controlled data in the templa...
Remote code execution
A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution RCE vulnerability. Apache Syncope uses Java Bean Validation JSR 380 custom constraint validators. When...