| Vulnerability Name: | CVE-2017-7536 (CCN-134640) | ||||||||||||||||||||||||||||||||||||
| Assigned: | 2017-11-07 | ||||||||||||||||||||||||||||||||||||
| Published: | 2017-11-07 | ||||||||||||||||||||||||||||||||||||
| Updated: | 2022-03-10 | ||||||||||||||||||||||||||||||||||||
| Summary: | In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). | ||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) 6.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
5.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)
| ||||||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-470 | ||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Gain Privileges | ||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2017-7536 Source: CCN Type: Hibernate Web site Hibernate Validator Source: BID Type: Third Party Advisory, VDB Entry 101048 Source: CCN Type: BID-101048 Red Hat Hibernate Validator CVE-2017-7536 Local Privilege Escalation Vulnerability Source: SECTRACK Type: Third Party Advisory, VDB Entry 1039744 Source: REDHAT Type: Vendor Advisory RHSA-2017:2808 Source: REDHAT Type: Vendor Advisory RHSA-2017:2809 Source: REDHAT Type: Vendor Advisory RHSA-2017:2810 Source: REDHAT Type: Vendor Advisory RHSA-2017:2811 Source: REDHAT Type: Vendor Advisory RHSA-2017:3141 Source: REDHAT Type: Vendor Advisory RHSA-2017:3454 Source: REDHAT Type: Vendor Advisory RHSA-2017:3455 Source: REDHAT Type: Vendor Advisory RHSA-2017:3456 Source: REDHAT Type: Vendor Advisory RHSA-2017:3458 Source: REDHAT Type: Vendor Advisory RHSA-2018:2740 Source: REDHAT Type: Vendor Advisory RHSA-2018:2741 Source: REDHAT Type: Vendor Advisory RHSA-2018:2742 Source: REDHAT Type: Vendor Advisory RHSA-2018:2743 Source: REDHAT Type: Vendor Advisory RHSA-2018:2927 Source: REDHAT Type: Vendor Advisory RHSA-2018:3817 Source: CCN Type: Red Hat Bugzilla Bug 1465573 (CVE-2017-7536) CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager Source: CONFIRM Type: Issue Tracking, Vendor Advisory https://bugzilla.redhat.com/show_bug.cgi?id=1465573 Source: XF Type: UNKNOWN hibernate-cve20177536-priv-esc(134640) Source: MLIST Type: Issue Tracking, Third Party Advisory [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities | ||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration 4: Configuration 5: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||