CVE-2020-9296

Vulnerability

Description

Netflix Titus (and Conductor) uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, the framework supports various interpolation types, including Java EL expressions. The vulnerability arises when attacker-controlled data is passed to the ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument without sanitization, allowing arbitrary Java code execution [1]. This is a server-side template injection (SSTI) vulnerability in the validation error handling path [2].

Exploitation

An attacker can inject arbitrary Java EL expressions into validation error message templates. No authentication is required to trigger this, as the vulnerability is reachable via unauthenticated endpoints in affected Netflix Titus and Conductor services. The attack surface includes any REST API endpoint that uses custom Bean Validation constraints and reflects user input into error messages [2][3].

Impact

A successful exploit yields unauthenticated Remote Code Execution (RCE) on the target server. An attacker could execute arbitrary Java code, leading to full system compromise, data exfiltration, or lateral movement within the network. CVSS v3.1 base score is estimated at 9.8 (Critical) due to network attack vector, low complexity, and no privileges required [1].

Mitigation

Netflix has released patches: Conductor versions >= v2.25.3 switch to Apache BVal (not vulnerable), while Titus versions >= v0.1.1-rc.274 sanitize the message string to escape EL special characters [2][3]. Users should upgrade immediately. No workarounds are available.