3 results (0.007 seconds)

CVSS: 5.3EPSS: 0%CPEs: 13EXPL: 0

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. Se encontró un fallo en Hibernate Validator versión 6.1.2.Final. Un error en el procesador de interpolación de mensajes permite evaluar expresiones EL no válidas como si fueran válidas. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693 https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-202 • CWE-20: Improper Input Validation •

CVSS: 6.5EPSS: 0%CPEs: 429EXPL: 0

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0445 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219 https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba0911 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 8EXPL: 0

ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application. ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) en Hibernate Validator 4.1.0 anterior a 4.2.1, 4.3.x anterior a 4.3.2, y 5.x anterior a 5.1.2 permite a atacantes evadir las restricciones de Java Security Manager (JSM) y ejecutar llamadas de reflección restringidas a través de una aplicación manipulada. It was discovered that the implementation of org.hibernate.validator.util.ReflectionHelper together with the permissions required to run Hibernate Validator under the Java Security Manager could allow a malicious application deployed in the same application container to execute several actions with escalated privileges, which might otherwise not be possible. This flaw could be used to perform various attacks, including but not restricted to, arbitrary code execution in systems that are otherwise secured by the Java Security Manager. • http://rhn.redhat.com/errata/RHSA-2014-1285.html http://rhn.redhat.com/errata/RHSA-2014-1286.html http://rhn.redhat.com/errata/RHSA-2014-1287.html http://rhn.redhat.com/errata/RHSA-2014-1288.html http://rhn.redhat.com/errata/RHSA-2015-0125.html http://rhn.redhat.com/errata/RHSA-2015-0720.html https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3558.yaml https://hibernate.atlassian.net/browse/HV-912 https://access.redhat.com/security/cve/ • CWE-264: Permissions, Privileges, and Access Controls CWE-266: Incorrect Privilege Assignment •