7

CVE-2017-7536

In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatHibernate Validator Version >= 5.2.0 < 5.2.5
RedhatHibernate Validator Version >= 5.3.0 < 5.3.6
RedhatHibernate Validator Version >= 5.4.0 < 5.4.2
RedhatSatellite Version6.4
RedhatSatellite Capsule Version6.4
RedhatJboss Enterprise Application Platform Version6.0.0
   RedhatEnterprise Linux Version5.0
   RedhatEnterprise Linux Version6.0
   RedhatEnterprise Linux Version7.0
RedhatJboss Enterprise Application Platform Version6.4.0
   RedhatEnterprise Linux Version5.0
   RedhatEnterprise Linux Version6.0
   RedhatEnterprise Linux Version7.0
RedhatJboss Enterprise Application Platform Version7.0
   RedhatEnterprise Linux Version6.0
   RedhatEnterprise Linux Version7.0
RedhatJboss Enterprise Application Platform Version7.1
   RedhatEnterprise Linux Version6.0
   RedhatEnterprise Linux Version7.0
RedhatVirtualization Version4.0
   RedhatEnterprise Linux Version7.0
RedhatVirtualization Host Version4.0
   RedhatEnterprise Linux Version7.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.48% 0.377
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7 1 5.9
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 4.4 3.4 6.4
AV:L/AC:M/Au:N/C:P/I:P/A:P
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

CWE-592 DEPRECATED: Authentication Bypass Issues

This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
https://access.redhat.com/errata/RHSA-2017:2808
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:2809
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:2810
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:2811
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2927
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3454
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3455
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3456
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3458
Vendor Advisory
http://www.securitytracker.com/id/1039744
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2017:3141
Vendor Advisory
http://www.securityfocus.com/bid/101048
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2018:2740
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2741
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2742
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2743
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3817
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1465573
Vendor Advisory
Issue Tracking