CVE-2017-7536

EPSS 0.1%
Published 10.01.2018 15:29:00
Last modified 21.11.2024 03:32:06
Source secalert@redhat.com
Teams watchlist Login
Open Login

In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().

Affected products Warnungen 0 Metrics 3 CWE 2 References 22

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Hibernate Validator Version >= 5.2.0 < 5.2.5

Redhat ≫ Hibernate Validator Version >= 5.3.0 < 5.3.6

Redhat ≫ Hibernate Validator Version >= 5.4.0 < 5.4.2

Redhat ≫ Satellite Version6.4

Redhat ≫ Satellite Capsule Version6.4

Redhat ≫ Jboss Enterprise Application Platform Version6.0.0

   Redhat ≫ Enterprise Linux Version5.0
   Redhat ≫ Enterprise Linux Version6.0
   Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version6.4.0

   Redhat ≫ Enterprise Linux Version5.0
   Redhat ≫ Enterprise Linux Version6.0
   Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.0

Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.1

Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Virtualization Version4.0

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Virtualization Host Version4.0

Redhat ≫ Enterprise Linux Version7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.29

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7	1	5.9	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.4	3.4	6.4	AV:L/AC:M/Au:N/C:P/I:P/A:P

CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

CWE-592 DEPRECATED: Authentication Bypass Issues

This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

https://access.redhat.com/errata/RHSA-2017:2808

Vendor Advisory

https://access.redhat.com/errata/RHSA-2017:2809

Vendor Advisory

https://access.redhat.com/errata/RHSA-2017:2810

Vendor Advisory

https://access.redhat.com/errata/RHSA-2017:2811

Vendor Advisory

https://access.redhat.com/errata/RHSA-2018:2927