PT-2020-12288 · Red Hat+1 · Hibernate Validator+1

Published

2020-05-06

Updated

2022-05-10

CVE-2020-10693

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Hibernate Validator version 6.1.2.Final

Description A flaw was found in the message interpolation processor of Hibernate Validator, enabling invalid EL expressions to be evaluated as if they were valid. This allows attackers to bypass input sanitation controls that developers may have put in place when handling user-controlled data in error messages.

Recommendations For Hibernate Validator version 6.1.2.Final, consider disabling the message interpolation processor until a patch is available to prevent the evaluation of invalid EL expressions. Restrict the handling of user-controlled data in error messages to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2020-10693

GHSA-RMRM-75HP-PHR2

OESA-2021-1138

RHSA-2020:3461

RHSA-2020:3462

RHSA-2020:3463

RHSA-2020:3637

RHSA-2020:3638

RHSA-2020:3639

RHSA-2020:4366

Affected Products

Debian

Hibernate Validator

PT-2020-12288 · Red Hat+1 · Hibernate Validator+1

CVE-2020-10693

Weakness Enumeration

Related Identifiers

Affected Products

References · 25