Netflix: Security Vulnerabilities
Netflix Titus, all versions prior to version v0.1.1-rc.274, uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.
CVSS Score
9.8
EPSS Score
0.005
Published
2020-07-14
Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.
CVSS Score
9.8
EPSS Score
0.006
Published
2020-06-16
Denial of Service (DOS) in Dial Reference Source Code Used before June 18th, 2019.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-06-21
Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode.
CVSS Score
7.5
EPSS Score
0.003
Published
2017-08-09
Netflix Security Monkey before 0.8.0 has an Open Redirect. The logout functionality accepted the "next" parameter which then redirects to any domain irrespective of the Host header.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-03-26
Page 2