CVE-2020-9296

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-9296

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-9296.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-9296

Aliases

GHSA-wfj5-2mqr-7jvv

Withdrawn

2024-05-08T06:51:26.682730Z

Published

2020-06-16T14:15:11Z

Modified

2023-11-28T21:14:33.368918Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.

References

https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md

Affected packages

Git / github.com/netflix/conductor

Affected ranges

Type: GIT
Repo: https://github.com/netflix/conductor
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

86b26785c91dd8f635fce486634108354344f200

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

1.*

1.5.0

1.5.1

1.8.2-rc2

1.8.2-rc7

Other

2019-04-12-1300

v1.*

v1.10.0

v1.10.10

v1.10.11

v1.10.12

v1.10.13

v1.10.14

v1.10.15

v1.10.16

v1.10.17

v1.10.18

v1.10.2

v1.10.3

v1.10.4

v1.10.5

v1.10.6

v1.10.7

v1.10.8

v1.10.9

v1.11.0

v1.11.1

v1.11.2

v1.11.3

v1.11.4

v1.11.5

v1.12.0

v1.12.1

v1.12.10

v1.12.2

v1.12.3

v1.12.4-rc1

v1.12.4-rc2

v1.6.0

v1.6.0-rc1

v1.6.1

v1.6.1-rc1

v1.6.2-rc1

v1.7.0

v1.7.0-rc1

v1.7.0-rc10

v1.7.0-rc11

v1.7.0-rc12

v1.7.0-rc2

v1.7.0-rc3

v1.7.0-rc4

v1.7.0-rc5

v1.7.0-rc6

v1.7.0-rc7

v1.7.0-rc8

v1.7.0-rc9

v1.7.2

v1.7.2-rc1

v1.7.2-rc2

v1.7.2-rc3

v1.7.2-rc4

v1.7.2-rc5

v1.7.2-rc6

v1.7.2-rc7

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.6-rc1

v1.7.6-rc2

v1.8.0

v1.8.0-alpha-1

v1.8.1

v1.8.2-rc1

v1.8.2-rc10

v1.8.2-rc11

v1.8.2-rc3

v1.8.2-rc4

v1.8.2-rc5

v1.8.2-rc6

v1.8.2-rc8

v1.8.2-rc9

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.8.8

v1.8.9

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

v1.9.7

v2.*

v2.0.0

v2.0.0-rc1

v2.0.0-rc2

v2.0.0-rc3

v2.0.0-rc4

v2.0.0-rc5

v2.0.1

v2.1.0

v2.1.1

v2.10.0

v2.10.1

v2.10.2

v2.11.0

v2.12.0

v2.12.1

v2.12.2

v2.12.3

v2.12.4

v2.12.5

v2.13.0

v2.13.4-alpha.2

v2.13.5

v2.14.0

v2.14.1

v2.14.2

v2.14.3

v2.14.4

v2.14.5

v2.14.6

v2.14.7

v2.15.0

v2.15.0-rc.1

v2.15.0-rc.2

v2.15.1

v2.15.2

v2.15.3-beta.1

v2.16.0

v2.16.0-beta

v2.16.0-beta.1

v2.16.1

v2.16.4-hotfix.1

v2.17.0

v2.18.0

v2.18.0-beta.2

v2.19.0

v2.2.0

v2.2.1

v2.2.2

v2.20.0

v2.21.0

v2.21.1

v2.22.0

v2.22.1

v2.22.2

v2.22.3

v2.22.4

v2.22.5

v2.22.6

v2.23.0

v2.24.0

v2.24.1

v2.24.2

v2.24.3

v2.24.4

v2.24.5

v2.24.5-alpha

v2.24.5-alpha.1

v2.24.5-alpha.2

v2.25.0

v2.25.1

v2.25.3

v2.3.0

v2.4.0

v2.4.1

v2.4.2

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.8.5

v2.8.6

v2.9.0

v2.9.1