A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
History
10 May 2022, 15:46
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E - Mailing List, Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* |
20 Apr 2022, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
10 Jun 2021, 13:47
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:redhat:hibernate_validator:6.2.0:-:*:*:*:*:*:* |
Information
Published : 2020-05-06 14:15
Updated : 2024-02-04 21:00
NVD link : CVE-2020-10693
Mitre link : CVE-2020-10693
CVE.ORG link : CVE-2020-10693
JSON object : View
Products Affected
redhat
- jboss_enterprise_application_platform
- satellite
- satellite_capsule
- hibernate_validator
- enterprise_linux
ibm
- websphere_application_server
quarkus
- quarkus
oracle
- weblogic_server
CWE
CWE-20
Improper Input Validation