CVE-2017-7536
First published: Tue Jun 27 2017(Updated: )
A vulnerability which allows for a potential privilege escalation was found in the Hibernate Validator. If a security manager is present and HV itself is allowed to access private members reflectively as per the SM's configuration, that'll allow calling code without that permission to get hold of private state. The attack vector is to declare a constraint on a private member using XML, validate an invalid instance of that type and access the private member value via ConstraintViolation#getInvalidValue().
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Hibernate Validator | >=5.2.0<5.2.5 | |
| Redhat Hibernate Validator | >=5.3.0<5.3.6 | |
| Redhat Hibernate Validator | >=5.4.0<5.4.2 | |
| Redhat Satellite | =6.4 | |
| Redhat Satellite Capsule | =6.4 | |
| Redhat Jboss Enterprise Application Platform | =6.0.0 | |
| Redhat Jboss Enterprise Application Platform | =6.4.0 | |
| Redhat Enterprise Linux | =5.0 | |
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Jboss Enterprise Application Platform | =7.0 | |
| Redhat Jboss Enterprise Application Platform | =7.1 | |
| Redhat Virtualization | =4.0 | |
| Redhat Virtualization Host | =4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/101048
- http://www.securitytracker.com/id/1039744
- https://access.redhat.com/errata/RHSA-2017:2808
- https://access.redhat.com/errata/RHSA-2017:2809
- https://access.redhat.com/errata/RHSA-2017:2810
- https://access.redhat.com/errata/RHSA-2017:2811
- https://access.redhat.com/errata/RHSA-2017:3141
- https://access.redhat.com/errata/RHSA-2017:3454
- https://access.redhat.com/errata/RHSA-2017:3455
- https://access.redhat.com/errata/RHSA-2017:3456
- https://access.redhat.com/errata/RHSA-2017:3458
- https://access.redhat.com/errata/RHSA-2018:2740
- https://access.redhat.com/errata/RHSA-2018:2741
- https://access.redhat.com/errata/RHSA-2018:2742
- https://access.redhat.com/errata/RHSA-2018:2743
- https://access.redhat.com/errata/RHSA-2018:2927
- https://access.redhat.com/errata/RHSA-2018:3817
- https://bugzilla.redhat.com/show_bug.cgi?id=1465573
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1465573#c21
- https://github.com/hibernate/hibernate-validator/tree/5.2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1465573#c24
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- collector/nvd-index
- agent/weakness
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/references
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-7536
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/redhat
- canonical/redhat hibernate validator
- version/redhat hibernate validator/5.2.0
- version/redhat hibernate validator/5.3.0
- version/redhat hibernate validator/5.4.0
- canonical/redhat satellite
- version/redhat satellite/6.4
- canonical/redhat satellite capsule
- version/redhat satellite capsule/6.4
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/6.0.0
- version/redhat jboss enterprise application platform/6.4.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/5.0
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/7.0
- version/redhat jboss enterprise application platform/7.0
- version/redhat jboss enterprise application platform/7.1
- canonical/redhat virtualization
- version/redhat virtualization/4.0
- canonical/redhat virtualization host
- version/redhat virtualization host/4.0
- package-manager/redhat