7
CVE-2017-7536
- EPSS 0.48%
- Veröffentlicht 10.01.2018 15:29:00
- Zuletzt bearbeitet 21.11.2024 03:32:06
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Hibernate Validator Version >= 5.2.0 < 5.2.5
Redhat ≫ Hibernate Validator Version >= 5.3.0 < 5.3.6
Redhat ≫ Hibernate Validator Version >= 5.4.0 < 5.4.2
Redhat ≫ Satellite Capsule Version6.4
Redhat ≫ Jboss Enterprise Application Platform Version6.0.0
Redhat ≫ Enterprise Linux Version5.0
Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Jboss Enterprise Application Platform Version6.4.0
Redhat ≫ Enterprise Linux Version5.0
Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Jboss Enterprise Application Platform Version7.0
Redhat ≫ Jboss Enterprise Application Platform Version7.1
Redhat ≫ Virtualization Version4.0
Redhat ≫ Virtualization Host Version4.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.48% | 0.377 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7 | 1 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 4.4 | 3.4 | 6.4 |
AV:L/AC:M/Au:N/C:P/I:P/A:P
|
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
CWE-592 DEPRECATED: Authentication Bypass Issues
This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
https://access.redhat.com/errata/RHSA-2017:2808
https://access.redhat.com/errata/RHSA-2017:2809
https://access.redhat.com/errata/RHSA-2017:2810
https://access.redhat.com/errata/RHSA-2017:2811
https://access.redhat.com/errata/RHSA-2018:2927
https://access.redhat.com/errata/RHSA-2017:3454
https://access.redhat.com/errata/RHSA-2017:3455
https://access.redhat.com/errata/RHSA-2017:3456
https://access.redhat.com/errata/RHSA-2017:3458
http://www.securitytracker.com/id/1039744
https://access.redhat.com/errata/RHSA-2017:3141
http://www.securityfocus.com/bid/101048
https://access.redhat.com/errata/RHSA-2018:2740
https://access.redhat.com/errata/RHSA-2018:2741
https://access.redhat.com/errata/RHSA-2018:2742
https://access.redhat.com/errata/RHSA-2018:2743
https://access.redhat.com/errata/RHSA-2018:3817
https://bugzilla.redhat.com/show_bug.cgi?id=1465573