CVE-2020-10693

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:hibernate_validator:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:7.0.0:alpha1:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*

Configuration 3 (hide)

AND
OR cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*
OR cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:redhat:satellite:6.8:*:*:*:*:*:*:*
cpe:2.3:a:redhat:satellite_capsule:6.8:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 6 (hide)

cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

History

10 May 2022, 15:46

Type Values Removed Values Added
References (MLIST) https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E - Mailing List, Patch, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E - Mailing List, Third Party Advisory
References (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E - Mailing List, Third Party Advisory
CPE cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

20 Apr 2022, 00:15

Type Values Removed Values Added
References
  • {'url': 'https://www.ibm.com/support/pages/node/6348216', 'name': 'https://www.ibm.com/support/pages/node/6348216', 'tags': ['Third Party Advisory'], 'refsource': 'MISC'}
  • (MLIST) https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E -
  • (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -
  • (MLIST) https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E -

10 Jun 2021, 13:47

Type Values Removed Values Added
CPE cpe:2.3:a:redhat:hibernate_validator:6.2.0:candidate_release1:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:6.2.0:-:*:*:*:*:*:*

Information

Published : 2020-05-06 14:15

Updated : 2024-02-04 21:00


NVD link : CVE-2020-10693

Mitre link : CVE-2020-10693

CVE.ORG link : CVE-2020-10693


JSON object : View

Products Affected

redhat

  • jboss_enterprise_application_platform
  • satellite
  • satellite_capsule
  • hibernate_validator
  • enterprise_linux

ibm

  • websphere_application_server

quarkus

  • quarkus

oracle

  • weblogic_server
CWE
CWE-20

Improper Input Validation