Description
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E
Scores
CVSS v3
5.3
EPSS
0.0009
EPSS Percentile
26.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-20
Status
published
Products (11)
ibm/websphere_application_server
17.0.0.3 - 20.0.0.10
oracle/weblogic_server
14.1.1.0.0
org.hibernate/hibernate-validator
6.1.0.Final - 6.1.5.FinalMaven
org.hibernate.validator/hibernate-validator
6.1.0.Final - 6.1.5.FinalMaven
quarkus/quarkus
< 1.4.2
redhat/hibernate_validator
7.0.0 alpha1
redhat/hibernate_validator
5.0.0 - 6.0.20
redhat/jboss_enterprise_application_platform
7.2.0
redhat/jboss_enterprise_application_platform
7.3.0
redhat/satellite
6.8
... and 1 more
Published
May 06, 2020
Tracked Since
Feb 18, 2026