CVE-2017-7536 – org.hibernate:hibernate-validator

Package

Manager: maven
Name: org.hibernate:hibernate-validator
Vulnerable Version: >=5.2.0 <5.2.5.final || >=5.3.0 <5.3.6.final || >=5.4.0 <5.4.2.final

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00104 pctl0.28961

Details

Privilege Escalation in Hibernate Validator In Hibernate Validator 5.2.x before 5.2.5.Final, 5.3.x before 5.3.6.Final, and 5.4.x before 5.4.2.Final, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().

Metadata

Created: 2020-06-15T19:57:48Z
Modified: 2022-07-20T14:21:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xxgp-pcfc-3vgc/GHSA-xxgp-pcfc-3vgc.json
CWE IDs: ["CWE-470"]
Alternative ID: GHSA-xxgp-pcfc-3vgc
Finding: F004
Auto approve: 1