Описание
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.
Отчет
Hibernate-validator is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However, because ODL is technical preview in this version and the flaw is moderate, Red Hat will not be releasing a fix for the OpenStack package at this time. Supported versions of Satellite 6 embed vulnerable versions of hibernate-validator inside the candlepin component. However, the vulnerable SafeHtmlValidator functionality is not in use, so it is not possible to exploit it.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | org.apache.logging.log4j-log4j | Not affected | ||
| Cryostat 2 | hibernate-validator | Not affected | ||
| Red Hat AMQ Broker 7 | hibernate-validator | Not affected | ||
| Red Hat A-MQ Online | io.enmasse-enmasse | Not affected | ||
| Red Hat BPM Suite 6 | hibernate-validator | Out of support scope | ||
| Red Hat CodeReady Studio 12 | hibernate-validator | Affected | ||
| Red Hat Data Grid 8 | hibernate-validator | Not affected | ||
| Red Hat Decision Manager 7 | hibernate-validator | Out of support scope | ||
| Red Hat Fuse 7 | hibernate-validator | Out of support scope | ||
| Red Hat JBoss BRMS 5 | hibernate-validator | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
6.1 Medium
CVSS3
Связанные уязвимости
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.
A flaw was found in hibernate-validator's 'isValid' method in the org. ...
hibernate-validator Cross-site Scripting vulnerability
EPSS
6.1 Medium
CVSS3