Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Invalid parsing of EL expression can lead to invalid EL expressions considered valid

Description

This is a fix for CVE-2020-10693 .

More details here: https://issues.redhat.com/browse/JBEAP-19087 .

Note that this is a problem only if developers include user input in the constraint violation message and do not properly escape it.

Environment

None

Activity

Show:

Carsten Reckord June 28, 2021 at 4:09 PM

Never mind, this has already been reported as a bug in OSS Index:

Carsten Reckord June 28, 2021 at 4:06 PM

The CVE entry on OSS Index explicitly lists version 6.2.0 as affected by this vulnerability. That seems to be wrong however, since the commits from the fix seem to be present in the 6.2.0.Final release.

Fixed

Details

Assignee

Reporter

Bug Testcase Reminder (view)

Bug reports should generally be accompanied by a test case!

Bug Testcase Reminder (edit)

Bug reports should generally be accompanied by a test case!

Participants

Carsten Reckord
Guillaume Smet
Yoann Rodière

Pull Request

https://github.com/hibernate/hibernate-validator/pull/1092

Components

Fix versions

Priority

Created May 5, 2020 at 7:55 AM
Updated June 28, 2021 at 4:09 PM
Resolved May 6, 2020 at 1:09 PM