CVE-2020-10693

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:hibernate_validator:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:7.0.0:alpha1:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*

Configuration 3 (hide)

AND
OR cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*
OR cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:redhat:satellite:6.8:*:*:*:*:*:*:*
cpe:2.3:a:redhat:satellite_capsule:6.8:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 6 (hide)

cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

History

07 Nov 2023, 03:14

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E', 'name': '[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E', 'name': '[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E', 'name': '[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219', 'tags': ['Mailing List', 'Patch', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • () https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E -
  • () https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E -
  • () https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E -

10 May 2022, 15:46

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
First Time Oracle
Oracle weblogic Server
References (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E - Mailing List, Patch, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E - Mailing List, Third Party Advisory

20 Apr 2022, 00:15

Type Values Removed Values Added
References
  • {'url': 'https://www.ibm.com/support/pages/node/6348216', 'name': 'https://www.ibm.com/support/pages/node/6348216', 'tags': ['Third Party Advisory'], 'refsource': 'MISC'}
  • (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -
  • (MLIST) https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E -

10 Jun 2021, 13:47

Type Values Removed Values Added
CPE cpe:2.3:a:redhat:hibernate_validator:6.2.0:-:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:6.2.0:candidate_release1:*:*:*:*:*:*

02 Mar 2021, 13:59

Type Values Removed Values Added
CPE cpe:2.3:a:redhat:hibernate_validator:6.1.6:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:6.1.7:*:*:*:*:*:*:*

01 Mar 2021, 14:52

Type Values Removed Values Added
CPE cpe:2.3:a:hibernate:validator:6.1.2:*:*:*:*:*:*:* cpe:2.3:a:redhat:hibernate_validator:7.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:6.1.7:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:6.1.6:*:*:*:*:*:*:*
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:6.2.0:-:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:6.2.0:candidate_release1:*:*:*:*:*:*
cpe:2.3:a:redhat:hibernate_validator:*:*:*:*:*:*:*:*

Information

Published : 2020-05-06 14:15

Updated : 2023-12-10 13:27


NVD link : CVE-2020-10693

Mitre link : CVE-2020-10693

CVE.ORG link : CVE-2020-10693


JSON object : View

Products Affected

redhat

  • hibernate_validator
  • enterprise_linux
  • satellite_capsule
  • satellite
  • jboss_enterprise_application_platform

quarkus

  • quarkus

oracle

  • weblogic_server

ibm

  • websphere_application_server
CWE
CWE-20

Improper Input Validation