CVE-2020-10693

Aliases:GHSA-rmrm-75hp-phr2
Advisory lineage Upstream: 0 Downstream: 9
Modified
Published: 06 May 2020, 13:03
Last modified:04 Aug 2024, 11:06

Vulnerability Summary

Overall Risk (default)
low
21/100
CVSS Score
5.3 MEDIUM
v3.1 (cve.org)
EPSS Score
0.09% LOW
0% probability -0.20%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

06 May 2020, 13:03
Published
Vulnerability first disclosed
04 Aug 2024, 11:06
Last Modified
Vulnerability information updated

Description

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

CVSS Metrics

  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.09% Percentile: 26%

Techniques & Countermeasures

  • CWE-20Improper Input Validation

    The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

  • hibernatehibernate-validator

    6.1.2.Final

  • ibmwebsphere_application_server

    ≥ 17.0.0.3, ≤ 20.0.0.10

  • org.hibernatehibernate-validator

    ≥ 6.1.0.Final, < 6.1.5.Final | < 6.0.20.Final

  • org.hibernate.validatorhibernate-validator

    ≥ 6.1.0.Final, < 6.1.5.Final | < 6.0.20.Final

  • UnknownWebLogic Server

    14.1.1.0.0

  • quarkusquarkus

    ≤ 1.4.2

  • redhathibernate_validator

    ≥ 5.0.0, < 6.0.20 | ≥ 6.1.2, < 6.1.5 | 7.0.0:alpha1

  • redhatjboss_enterprise_application_platform

    7.2.0 | 7.3.0

  • redhatsatellite

    6.8

  • redhatsatellite_capsule

    6.8

References (10)