CVE-2014-3558
First published: Thu Jul 17 2014(Updated: )
IssueDescription: It was discovered that the implementation of org.hibernate.validator.util.ReflectionHelper together with the permissions required to run Hibernate Validator under the Java Security Manager could allow a malicious application deployed in the same application container to execute several actions with escalated privileges, which might otherwise not be possible. This flaw could be used to perform various attacks, including but not restricted to, arbitrary code execution in systems that are otherwise secured by the Java Security Manager.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Hibernate Validator | >=4.3.0<4.3.2 | |
| Redhat Hibernate Validator | >=5.0.0<=5.0.3 | |
| Redhat Hibernate Validator | >=5.1.0<5.1.2 | |
| Redhat Hibernate Validator | =4.1.0 | |
| Redhat Hibernate Validator | =4.2.0 | |
| Redhat Hibernate Validator | =4.2.0-beta1 | |
| Redhat Hibernate Validator | =4.2.0-beta2 | |
| Redhat Hibernate Validator | =4.2.0-cr1 | |
| maven/org.hibernate:hibernate-validator | >=5.0.0<5.1.2 | 5.1.2 |
| maven/org.hibernate:hibernate-validator | >=4.3.0<4.3.2 | 4.3.2 |
| maven/org.hibernate:hibernate-validator | >=4.1.0<4.2.1 | 4.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://hibernate.atlassian.net/browse/HV-912
- https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3558.yaml
- https://rhn.redhat.com/errata/RHSA-2014-1288.html
- https://rhn.redhat.com/errata/RHSA-2014-1287.html
- https://rhn.redhat.com/errata/RHSA-2014-1286.html
- https://rhn.redhat.com/errata/RHSA-2014-1285.html
- https://rhn.redhat.com/errata/RHSA-2015-0125.html
- https://rhn.redhat.com/errata/RHSA-2015-0235.html
- https://rhn.redhat.com/errata/RHSA-2015-0234.html
- https://rhn.redhat.com/errata/RHSA-2015-0720.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1120495
- http://rhn.redhat.com/errata/RHSA-2014-1285.html
- http://rhn.redhat.com/errata/RHSA-2014-1286.html
- http://rhn.redhat.com/errata/RHSA-2014-1287.html
- http://rhn.redhat.com/errata/RHSA-2014-1288.html
- http://rhn.redhat.com/errata/RHSA-2015-0125.html
- http://rhn.redhat.com/errata/RHSA-2015-0720.html
- https://nvd.nist.gov/vuln/detail/CVE-2014-3558
- https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d
- https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726
- https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c
- https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52
- https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e
- https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870
- https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f
- https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e
- https://github.com/advisories/GHSA-845h-985r-jrqh (Advisory)
- collector/redhat-bugzilla
- alias/CVE-2014-3558
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-845h-985r-jrqh
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/author
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/event
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/redhat
- canonical/redhat hibernate validator
- version/redhat hibernate validator/4.3.0
- version/redhat hibernate validator/5.0.0
- version/redhat hibernate validator/5.0.3
- version/redhat hibernate validator/5.1.0
- version/redhat hibernate validator/4.1.0
- version/redhat hibernate validator/4.2.0
- version/redhat hibernate validator/4.2.0-beta1
- version/redhat hibernate validator/4.2.0-beta2
- version/redhat hibernate validator/4.2.0-cr1
- package-manager/maven