CVE-2017-7536

CWE-592 CWE-4708 documents7 sources

Severity

7.0HIGH

EPSS

0.1%

top 68.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Hibernate Validator RED Hat, Inc. Hibernate-validator Redhat Jboss Enterprise Application Platform +4 more

Timeline

PublishedJan 10

Latest updateJun 15

Description

In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages9 packages

▶NVDredhat/hibernate_validator5.2.0 — 5.2.5+2

▶Mavenorg.hibernate:hibernate-validator5.2.0 — 5.2.5.Final+2

▶Debianlibhibernate-validator-java< 4.3.3-4+3

▶CVEListV5red_hat,_inc./hibernate-validator5.2.x before 5.2.5 final, 5.3.x, 5.4.x+2

▶NVDredhat/satellite6.4

🔴Vulnerability Details

GHSA

Privilege Escalation in Hibernate Validator↗2020-06-15

▶

OSV

Privilege Escalation in Hibernate Validator↗2020-06-15

▶

OSV

CVE-2017-7536: In Hibernate Validator 5↗2018-01-10

▶

CVEList

CVE-2017-7536: In Hibernate Validator 5↗2018-01-10

▶

📋Vendor Advisories

Red Hat

hibernate-validator: Privilege escalation when running under the security manager↗2017-09-26

▶

Debian

CVE-2017-7536: libhibernate-validator-java - In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found ...↗2017

▶

💬Community

Bugzilla

CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager↗2017-06-27

▶