logo

Database

Remote command execution In org.hibernate:hibernate-validator

Description

Privilege Escalation in Hibernate Validator In Hibernate Validator 5.2.x before 5.2.5.Final, 5.3.x before 5.3.6.Final, and 5.4.x before 5.4.2.Final, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2017-75362. NVD-2017-75363. OSV-2017-75364. OSV-DEBIAN-2017-75365. GCVE-2017-75366. access.redhat.com7. access.redhat.com8. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. access.redhat.com13. access.redhat.com14. access.redhat.com15. access.redhat.com16. access.redhat.com17. access.redhat.com18. access.redhat.com19. access.redhat.com20. access.redhat.com21. SECURITY-TRACKER-CVE-2017-7536

References

1. https://github.com/hibernate/hibernate-validator/commit/0886e89900d343ea20fde5137c9a3086e6da9ac2. https://github.com/hibernate/hibernate-validator/commit/0778a5c98b817771a645c6f4ba0b28dd8b5437b3. https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E4. https://bugzilla.redhat.com/show_bug.cgi?id=14655735. http://www.securityfocus.com/bid/1010486. http://www.securitytracker.com/id/1039744

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.