You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
A vulnerability was found in hibernate-validator version 6.1.2.Final, where the method 'isValid' in the class org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator can by bypassed by omitting the tag end (less than sign). Browsers typically still render the invalid html which leads to attacks like HTML injection and Cross-Site-Scripting.
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
mend-for-github-combot
changed the title
hibernate-validator-5.2.1.Final.jar: 2 vulnerabilities (highest severity is: 7.0)
hibernate-validator-5.2.1.Final.jar: 2 vulnerabilities (highest severity is: 7.0) reachable
Jul 2, 2023
mend-for-github-combot
changed the title
hibernate-validator-5.2.1.Final.jar: 2 vulnerabilities (highest severity is: 7.0) reachable
hibernate-validator-5.2.1.Final.jar: 3 vulnerabilities (highest severity is: 7.0) reachable
Feb 28, 2024
mend-for-github-combot
changed the title
hibernate-validator-5.2.1.Final.jar: 3 vulnerabilities (highest severity is: 7.0) reachable
hibernate-validator-5.2.1.Final.jar: 2 vulnerabilities (highest severity is: 7.0) reachable
Mar 21, 2024
mend-for-github-combot
changed the title
hibernate-validator-5.2.1.Final.jar: 2 vulnerabilities (highest severity is: 7.0) reachable
hibernate-validator-5.2.1.Final.jar: 3 vulnerabilities (highest severity is: 7.0) reachable
Apr 8, 2024
mend-for-github-combot
changed the title
hibernate-validator-5.2.1.Final.jar: 3 vulnerabilities (highest severity is: 7.0) reachable
hibernate-validator-5.2.1.Final.jar: 2 vulnerabilities (highest severity is: 6.1) reachable
Apr 12, 2024
mend-for-github-combot
changed the title
hibernate-validator-5.2.1.Final.jar: 2 vulnerabilities (highest severity is: 6.1) reachable
hibernate-validator-5.2.1.Final.jar: 3 vulnerabilities (highest severity is: 7.0) reachable
Aug 16, 2024
Vulnerable Library - hibernate-validator-5.2.1.Final.jar
Hibernate's Bean Validation (JSR-303) reference implementation.
Library home page: http://hibernate.org/validator
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.2.1.Final/hibernate-validator-5.2.1.Final.jar
Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc
Vulnerabilities
Reachable
Reachable
Reachable
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2017-7536
Vulnerable Library - hibernate-validator-5.2.1.Final.jar
Hibernate's Bean Validation (JSR-303) reference implementation.
Library home page: http://hibernate.org/validator
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.2.1.Final/hibernate-validator-5.2.1.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
Publish Date: 2018-01-10
URL: CVE-2017-7536
CVSS 3 Score Details (7.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7536
Release Date: 2018-01-10
Fix Resolution: 5.3.0.Alpha1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-1932
Vulnerable Library - hibernate-validator-5.2.1.Final.jar
Hibernate's Bean Validation (JSR-303) reference implementation.
Library home page: http://hibernate.org/validator
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.2.1.Final/hibernate-validator-5.2.1.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A vulnerability was found in hibernate-validator version 6.1.2.Final, where the method 'isValid' in the class org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator can by bypassed by omitting the tag end (less than sign). Browsers typically still render the invalid html which leads to attacks like HTML injection and Cross-Site-Scripting.
Publish Date: 2024-11-07
URL: CVE-2023-1932
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1809444
Release Date: 2024-11-07
Fix Resolution: 6.2.0.CR1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-10693
Vulnerable Library - hibernate-validator-5.2.1.Final.jar
Hibernate's Bean Validation (JSR-303) reference implementation.
Library home page: http://hibernate.org/validator
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.2.1.Final/hibernate-validator-5.2.1.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
Publish Date: 2020-05-06
URL: CVE-2020-10693
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/
Release Date: 2020-05-06
Fix Resolution: 6.0.0.Alpha1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: