Fluid Attacks Database

Description

hibernate-validator Cross-site Scripting vulnerability A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.hibernate.validator:hibernate-validator	>=0 <6.2.0.final	6.2.0.final
debian 11	libhibernate-validator-java	=5.3.6-1 \|\| =5.3.6-2 \|\| =5.3.6-3	-
maven	org.hibernate:hibernate-validator	>=0 <6.2.0.final	6.2.0.final
debian 12	libhibernate-validator-java	=5.3.6-2 \|\| =5.3.6-3	-
debian 13	libhibernate-validator-java	=5.3.6-3	-
debian 14	libhibernate-validator-java	=5.3.6-3	-

Aliases

1. CVE-2023-19322. NVD-2023-19323. OSV-2023-19324. OSV-DEBIAN-2023-19325. GCVE-2023-19326. ACCESS-CVE-2023-19327. SECURITY-TRACKER-CVE-2023-1932

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=1809444

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.