Invalid parsing of EL expression can lead to invalid EL expressions considered valid (CVE-2020-10693)
This is a follow-up to HV-1774.
It looks like CVE-2020-10693 has been updated to include more versions of Hibernate Validator, up to and including version 6.2.0.Final:
Is the CVE update correct and if so, are there any plans to address this in the Hibernate Validator 6.0.x and 6.1.x branches?
OK, done. I'll let you know once I know more about this.
6.2.x is for sure not vulnerable as it disables EL for custom violation messages by default.
I have no idea why they changed this. My guess is that they got automatically added. I'll try to reach out to Red Hat Prod Security who initially reported the CVE and see how it goes.