Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade org.hibernate:hibernate-validator to version 4.3.4 or later. #3

Open
astevko opened this issue Jun 16, 2020 · 0 comments
Open

Upgrade org.hibernate:hibernate-validator to version 4.3.4 or later. #3

astevko opened this issue Jun 16, 2020 · 0 comments
Assignees
@astevko

Comments

@astevko
Copy link
Owner

astevko commented Jun 16, 2020

org.hibernate:hibernate-validator vulnerability found in pom.xml 21 hours ago
Remediation
Upgrade org.hibernate:hibernate-validator to version 4.3.4 or later. For example:

org.hibernate hibernate-validator [4.3.4,) Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2017-7536
high severity
Vulnerable versions: < 4.3.4
Patched version: 4.3.4
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
@astevko astevko self-assigned this Jun 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@astevko astevko

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@astevko