Описание
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
Отчет
hibernate-validator is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However, because ODL is technical preview in this version and the flaw is moderate, Red Hat will not be releasing a fix for the OpenStack package at this time.
Меры по смягчению последствий
You can pass user input as an expression variable by unwrapping the context to HibernateConstraintValidatorContext. Please refer to the https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/ and https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | hibernate-validator | Out of support scope | ||
| Red Hat CodeReady Studio 12 | hibernate-validator | Affected | ||
| Red Hat Data Grid 8 | hibernate-validator | Not affected | ||
| Red Hat JBoss BRMS 5 | hibernate-validator | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | hibernate-validator | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | hibernate-validator | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 5 | hibernate-validator | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | hibernate-validator | Out of support scope | ||
| Red Hat JBoss Fuse 6 | hibernate-validator | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | hibernate-validator | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in ...
Improper Input Validation in Hibernate Validator
EPSS
5.3 Medium
CVSS3