CVE-2020-10693

Published: May 6, 2020Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Affected (10)

Products: Redhat: Hibernate Validator, Jboss Enterprise Application Platform, Satellite, Satellite Capsule · Ibm: Websphere Application Server · Quarkus: Quarkus · +1 more

Show all products

Redhat: Hibernate Validator, Jboss Enterprise Application Platform, Satellite, Satellite Capsule · Ibm: Websphere Application Server · Quarkus: Quarkus · Oracle: Weblogic Server

4 products

Hibernate Validator

Jboss Enterprise Application Platform

Satellite Capsule

1 product

Websphere Application Server

1 product

1 product

Weblogic Server

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Hibernate Validator	From 5.0.0 to 6.0.20
Redhat Hibernate Validator	From 6.1.2 to 6.1.5
Redhat Hibernate Validator	Version 7.0.0 alpha1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Ibm Websphere Application Server	From 17.0.0.3 to 20.0.0.10

Configuration C

2 vulnerable · 3 platform

Vulnerable Software	Affected Versions
Redhat Jboss Enterprise Application Platform	Version 7.2.0
Redhat Jboss Enterprise Application Platform	Version 7.3.0

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 6.0
Redhat Enterprise Linux	Version 7.0
Redhat Enterprise Linux	Version 8.0

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Satellite	Version 6.8
Redhat Satellite Capsule	Version 6.8

Configuration E

1 vulnerable

Vulnerable Software	Affected Versions
Quarkus Quarkus	Up to 1.4.2

Configuration F

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Weblogic Server	Version 14.1.1.0.0

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (10)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E

Source: secalert@redhat.com

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: secalert@redhat.com

PatchThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.