Invalid parsing of EL expression can lead to invalid EL expressions considered valid (CVE-2020-10693)

Description

This is a follow-up to HV-1774.

It looks like CVE-2020-10693 has been updated to include more versions of Hibernate Validator, up to and including version 6.2.0.Final:

CVE-2020-10693/change-record

Is the CVE update correct and if so, are there any plans to address this in the Hibernate Validator 6.0.x and 6.1.x branches?

Environment

None

Activity

Show:
Guillaume Smet
March 3, 2021, 10:23 AM

OK, done. I'll let you know once I know more about this.

Guillaume Smet
March 3, 2021, 10:16 AM

6.2.x is for sure not vulnerable as it disables EL for custom violation messages by default.

I have no idea why they changed this. My guess is that they got automatically added. I'll try to reach out to Red Hat Prod Security who initially reported the CVE and see how it goes.

Jochen
March 3, 2021, 9:39 AM

For reference:

Assignee

Unassigned

Reporter

Jochen

Labels

None

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Suitable for new contributors

None

Pull Request

None

backportDecision

None

backportReEvaluate

None

Components

Affects versions

Priority

Major