CVE-2017-7536

high

Description

In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().

References

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

https://bugzilla.redhat.com/show_bug.cgi?id=1465573

https://access.redhat.com/errata/RHSA-2018:3817

https://access.redhat.com/errata/RHSA-2018:2927

https://access.redhat.com/errata/RHSA-2018:2743

https://access.redhat.com/errata/RHSA-2018:2742

https://access.redhat.com/errata/RHSA-2018:2741

https://access.redhat.com/errata/RHSA-2018:2740

https://access.redhat.com/errata/RHSA-2017:3458

https://access.redhat.com/errata/RHSA-2017:3456

https://access.redhat.com/errata/RHSA-2017:3455

https://access.redhat.com/errata/RHSA-2017:3454

https://access.redhat.com/errata/RHSA-2017:3141

https://access.redhat.com/errata/RHSA-2017:2811

https://access.redhat.com/errata/RHSA-2017:2810

https://access.redhat.com/errata/RHSA-2017:2809

https://access.redhat.com/errata/RHSA-2017:2808

http://www.securitytracker.com/id/1039744

http://www.securityfocus.com/bid/101048

Details

Source: Mitre, NVD

Published: 2018-01-10

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 4.4

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High