Fluid Attacks Database

Description

Improper Input Validation in Hibernate Validator A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.hibernate.validator:hibernate-validator	>=0 <=6.0.19.final \|\| >=6.1.0.final <=6.1.4.final	6.1.5.final, 6.0.20.final
maven	org.hibernate:hibernate-validator	>=6.1.0.final <6.1.5.final \|\| >=0 <6.0.20.final	6.1.5.final, 6.0.20.final
debian 13	libhibernate-validator-java	=5.3.6-3	-
debian 12	libhibernate-validator-java	=5.3.6-2 \|\| =5.3.6-3	-
debian 14	libhibernate-validator-java	=5.3.6-3	-
debian 11	libhibernate-validator-java	=5.3.6-1 \|\| =5.3.6-2 \|\| =5.3.6-3	-

Aliases

1. CVE-2020-106932. NVD-2020-106933. OSV-2020-106934. OSV-DEBIAN-2020-106935. GCVE-2020-106936. SECURITY-TRACKER-CVE-2020-10693

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-106932. https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E3. https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E4. https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E5. https://www.ibm.com/support/pages/node/63482166. https://www.oracle.com/security-alerts/cpuapr2022.html