SCA: security update for io.dropwizard:dropwizard-validation (GHSA-8jpx-m2wh-2v34)

high Tenable Self-Hosted Container Security Plugin ID 422194

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A
server-side template injection was identified in the self-validating feature enabling attackers to inject
arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a
self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes
introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue
completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly
recommend upgrading to one of these versions. (CVE-2020-11002)

See Also

https://github.com/advisories/GHSA-8jpx-m2wh-2v34

Plugin Details

Severity: High

ID: 422194

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2020-11002

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/10/2020

Vulnerability Publication Date: 4/10/2020

Reference Information

CVE: CVE-2020-11002

cwe: CWE-74