PT-2018-8401 · Red Hat · Hibernate Validator

Published

2018-01-10

Updated

2022-03-10

CVE-2017-7536

CVSS v3.1

7.0

High

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Hibernate Validator versions 5.2.x through 5.2.4, 5.3.x through 5.3.5, and 5.4.x through 5.4.1

Description A potential privilege escalation issue was found in Hibernate Validator when the security manager's reflective permissions are granted, allowing access to private class members. This could enable an attacker to validate an invalid instance and access private member values via ConstraintViolation#getInvalidValue().

Recommendations For Hibernate Validator version 5.2.x, update to version 5.2.5 final or later. For Hibernate Validator version 5.3.x, update to version 5.3.6 final or later. For Hibernate Validator version 5.4.x, update to version 5.4.2 final or later. As a temporary workaround, consider restricting the security manager's reflective permissions to prevent access to private class members.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-470CWE-592

Related Identifiers

CVE-2017-7536

GHSA-XXGP-PCFC-3VGC

RHSA-2017:2808

RHSA-2017:2809

RHSA-2017:2811

RHSA-2017:3141

RHSA-2017:3454

RHSA-2017:3455

RHSA-2017:3458

RHSA-2018:2741

RHSA-2018:2742

RHSA-2018:2743

RHSA-2018:2927

Affected Products

Hibernate Validator

PT-2018-8401 · Red Hat · Hibernate Validator

CVE-2017-7536

Weakness Enumeration

Related Identifiers

Affected Products

References · 33