PT-2018-8401 · Red Hat · Hibernate Validator

Publicado

2018-01-10

·

Atualizado

2022-03-10

·

CVE-2017-7536

CVSS v3.1

7.0

Alta

VetorAV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Hibernate Validator versions 5.2.x through 5.2.4, 5.3.x through 5.3.5, and 5.4.x through 5.4.1
Description A potential privilege escalation issue was found in Hibernate Validator when the security manager's reflective permissions are granted, allowing access to private class members. This could enable an attacker to validate an invalid instance and access private member values via ConstraintViolation#getInvalidValue().
Recommendations For Hibernate Validator version 5.2.x, update to version 5.2.5 final or later. For Hibernate Validator version 5.3.x, update to version 5.3.6 final or later. For Hibernate Validator version 5.4.x, update to version 5.4.2 final or later. As a temporary workaround, consider restricting the security manager's reflective permissions to prevent access to private class members.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-470CWE-592

Identificadores relacionados

CVE-2017-7536
GHSA-XXGP-PCFC-3VGC
RHSA-2017:2808
RHSA-2017:2809
RHSA-2017:2811
RHSA-2017:3141
RHSA-2017:3454
RHSA-2017:3455
RHSA-2017:3458
RHSA-2018:2741
RHSA-2018:2742
RHSA-2018:2743
RHSA-2018:2927

Produtos afetados

Hibernate Validator