CVE-2020-10693
Summary
| CVE | CVE-2020-10693 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-05-06 14:15:00 UTC |
| Updated | 2023-11-07 03:14:00 UTC |
| Description | A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ibm | Websphere Application Server | All | All | All | All |
| Application | Oracle | Weblogic Server | 14.1.1.0.0 | All | All | All |
| Application | Quarkus | Quarkus | All | All | All | All |
| Operating System | Redhat | Enterprise Linux | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 8.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 8.0 | All | All | All |
| Application | Redhat | Hibernate Validator | All | All | All | All |
| Application | Redhat | Hibernate Validator | 6.2.0 | - | All | All |
| Application | Redhat | Hibernate Validator | 6.2.0 | candidate_release1 | All | All |
| Application | Redhat | Hibernate Validator | 7.0.0 | alpha1 | All | All |
| Application | Redhat | Hibernate Validator | All | All | All | All |
| Application | Redhat | Hibernate Validator | 6.2.0 | - | All | All |
| Application | Redhat | Hibernate Validator | 6.2.0 | candidate_release1 | All | All |
| Application | Redhat | Hibernate Validator | 7.0.0 | alpha1 | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.2.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.3.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.2.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.3.0 | All | All | All |
| Application | Redhat | Satellite | 6.8 | All | All | All |
| Application | Redhat | Satellite | 6.8 | All | All | All |
| Application | Redhat | Satellite Capsule | 6.8 | All | All | All |
| Application | Redhat | Satellite Capsule | 6.8 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 1805501 – (CVE-2020-10693) CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages | CONFIRM | bugzilla.redhat.com | Issue Tracking, Third Party Advisory |
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| Security Bulletin: Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693) | MISC | www.ibm.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.