CVE-2020-10693

EPSS 0.03%
Published 06.05.2020 14:15:10
Last modified 21.11.2024 04:55:52
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Affected products Warnungen 0 Metrics 4 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Hibernate Validator Version >= 5.0.0 < 6.0.20

Redhat ≫ Hibernate Validator Version >= 6.1.2 < 6.1.5

Redhat ≫ Hibernate Validator Version7.0.0 Updatealpha1

Ibm ≫ Websphere Application Server SwEditionliberty Version >= 17.0.0.3 <= 20.0.0.10

Redhat ≫ Jboss Enterprise Application Platform Version7.2.0

   Redhat ≫ Enterprise Linux Version6.0
   Redhat ≫ Enterprise Linux Version7.0
   Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Jboss Enterprise Application Platform Version7.3.0

   Redhat ≫ Enterprise Linux Version6.0
   Redhat ≫ Enterprise Linux Version7.0
   Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Satellite Version6.8

Redhat ≫ Satellite Capsule Version6.8

Quarkus ≫ Quarkus Version <= 1.4.2

Oracle ≫ Weblogic Server Version14.1.1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.073

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N
secalert@redhat.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E

https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E

https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2020-10693

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-10693

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-10693

EUVD