Vulnerability Name: | CVE-2014-3558 (CCN-99867) | ||||||||||||||||||||||||||||||||||||||||||||
Assigned: | 2014-07-15 | ||||||||||||||||||||||||||||||||||||||||||||
Published: | 2014-07-15 | ||||||||||||||||||||||||||||||||||||||||||||
Updated: | 2019-03-21 | ||||||||||||||||||||||||||||||||||||||||||||
Summary: | ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application. | ||||||||||||||||||||||||||||||||||||||||||||
CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||||||||||||||||||||||||||||||||||||||
CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N) 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||||||||||||||||||||||||||||||||||||||
Vulnerability Type: | CWE-264 | ||||||||||||||||||||||||||||||||||||||||||||
Vulnerability Consequences: | Bypass Security | ||||||||||||||||||||||||||||||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2014-3558 Source: CCN Type: Hibernate Web site Hibernate Validator Source: REDHAT Type: Third Party Advisory RHSA-2014:1285 Source: REDHAT Type: Third Party Advisory RHSA-2014:1286 Source: REDHAT Type: Third Party Advisory RHSA-2014:1287 Source: REDHAT Type: Third Party Advisory RHSA-2014:1288 Source: CCN Type: RHSA-2015-0125 Important: Red Hat JBoss Web Framework Kit 2.7.0 update Source: REDHAT Type: Third Party Advisory RHSA-2015:0125 Source: REDHAT Type: Third Party Advisory RHSA-2015:0720 Source: CCN Type: BID-70101 Red Hat Hibernate Validator CVE-2014-3558 Local Privilege Escalation Vulnerability Source: XF Type: UNKNOWN hibernatevalidat-cve20143558-sec-bypass(99867) Source: MISC Type: Third Party Advisory https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3558.yaml Source: CCN Type: Hibernate Validator HV-912 Improve integration with Java's security manager Source: CONFIRM Type: Third Party Advisory https://hibernate.atlassian.net/browse/HV-912 Source: CCN Type: WhiteSource Vulnerability Database CVE-2014-3558 | ||||||||||||||||||||||||||||||||||||||||||||
Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||||||
Oval Definitions | |||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||
BACK |