GHSA-rmrm-75hp-phr2

Source

https://github.com/advisories/GHSA-rmrm-75hp-phr2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-rmrm-75hp-phr2/GHSA-rmrm-75hp-phr2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rmrm-75hp-phr2

Aliases

CVE-2020-10693

Published

2021-06-04T21:36:34Z

Modified

2023-11-08T04:01:59.506227Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Improper Input Validation in Hibernate Validator

Details

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

References

Affected packages

Maven / org.hibernate.validator:hibernate-validator

Package

Name: org.hibernate.validator:hibernate-validator; View open source insights on deps.dev
Purl: pkg:maven/org.hibernate.validator/hibernate-validator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0.Final

Fixed

6.1.5.Final

Affected versions

6.*

6.1.0.Final

6.1.1.Final

6.1.2.Final

6.1.3.Final

6.1.4.Final

Database specific

{
    "last_known_affected_version_range": "<= 6.1.4.Final"
}

Maven / org.hibernate.validator:hibernate-validator

Package

Name: org.hibernate.validator:hibernate-validator; View open source insights on deps.dev
Purl: pkg:maven/org.hibernate.validator/hibernate-validator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.20.Final

Affected versions

6.*

6.0.0.Alpha1

6.0.0.Alpha2

6.0.0.Beta1

6.0.0.Beta2

6.0.0.CR1

6.0.0.CR2

6.0.0.CR3

6.0.0.Final

6.0.1.Final

6.0.2.Final

6.0.3.Final

6.0.4.Final

6.0.5.Final

6.0.6.Final

6.0.7.Final

6.0.8.Final

6.0.9.Final

6.0.10.Final

6.0.11.Final

6.0.12.Final

6.0.13.Final

6.0.14.Final

6.0.15.Final

6.0.16.Final

6.0.17.Final

6.0.18.Final

6.0.19.Final

Database specific

{
    "last_known_affected_version_range": "<= 6.0.19.Final"
}