{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"hibernate-validator security update", "category":"general", "title":"Synopsis" }, { "text":"An update for hibernate-validator is now available for openEuler-20.03-LTS-SP1.", "category":"general", "title":"Summary" }, { "text":"This is the reference implementation of JSR-349 - Bean Validation 1.1. Bean Validation defines a meta-data model and API for JavaBean as well as method validation. The default meta-data source are annotations, with the ability to override and extend the meta-data through the use of XML validation descriptors.\n\nSecurity Fix(es):\n\nA flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.(CVE-2020-10693)", "category":"general", "title":"Description" }, { "text":"An update for hibernate-validator is now available for openEuler-20.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"hibernate-validator", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2021-1138", "category":"self", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1138" }, { "summary":"CVE-2020-10693", "category":"self", "url":"https://openeuler.org/en/security/cve/detail?cveId=CVE-2020-10693&packageName=hibernate-validator" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10693" }, { "summary":"openEuler-SA-2021-1138 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2021/csaf-openeuler-sa-2021-1138.json" } ], "title":"An update for hibernate-validator is now available for openEuler-20.03-LTS-SP1", "tracking":{ "initial_release_date":"2021-04-07T09:18:57+08:00", "revision_history":[ { "date":"2021-04-07T09:18:57+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:18:57+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:18:57+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:18:57+08:00", "id":"openEuler-SA-2021-1138", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"hibernate-validator-annotation-processor-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"hibernate-validator-annotation-processor-5.2.4-3.oe1.noarch.rpm" }, "name":"hibernate-validator-annotation-processor-5.2.4-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"hibernate-validator-cdi-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"hibernate-validator-cdi-5.2.4-3.oe1.noarch.rpm" }, "name":"hibernate-validator-cdi-5.2.4-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"hibernate-validator-performance-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"hibernate-validator-performance-5.2.4-3.oe1.noarch.rpm" }, "name":"hibernate-validator-performance-5.2.4-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"hibernate-validator-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"hibernate-validator-5.2.4-3.oe1.noarch.rpm" }, "name":"hibernate-validator-5.2.4-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"hibernate-validator-parent-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"hibernate-validator-parent-5.2.4-3.oe1.noarch.rpm" }, "name":"hibernate-validator-parent-5.2.4-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"hibernate-validator-javadoc-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"hibernate-validator-javadoc-5.2.4-3.oe1.noarch.rpm" }, "name":"hibernate-validator-javadoc-5.2.4-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"hibernate-validator-test-utils-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"hibernate-validator-test-utils-5.2.4-3.oe1.noarch.rpm" }, "name":"hibernate-validator-test-utils-5.2.4-3.oe1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"hibernate-validator-5.2.4-3.oe1.src.rpm(20.03-LTS-SP1)", "name":"hibernate-validator-5.2.4-3.oe1.src.rpm" }, "name":"hibernate-validator-5.2.4-3.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"hibernate-validator-annotation-processor-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:hibernate-validator-annotation-processor-5.2.4-3.oe1.noarch", "name":"hibernate-validator-annotation-processor-5.2.4-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"hibernate-validator-cdi-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:hibernate-validator-cdi-5.2.4-3.oe1.noarch", "name":"hibernate-validator-cdi-5.2.4-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"hibernate-validator-performance-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:hibernate-validator-performance-5.2.4-3.oe1.noarch", "name":"hibernate-validator-performance-5.2.4-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"hibernate-validator-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:hibernate-validator-5.2.4-3.oe1.noarch", "name":"hibernate-validator-5.2.4-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"hibernate-validator-parent-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:hibernate-validator-parent-5.2.4-3.oe1.noarch", "name":"hibernate-validator-parent-5.2.4-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"hibernate-validator-javadoc-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:hibernate-validator-javadoc-5.2.4-3.oe1.noarch", "name":"hibernate-validator-javadoc-5.2.4-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"hibernate-validator-test-utils-5.2.4-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:hibernate-validator-test-utils-5.2.4-3.oe1.noarch", "name":"hibernate-validator-test-utils-5.2.4-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"hibernate-validator-5.2.4-3.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:hibernate-validator-5.2.4-3.oe1.src", "name":"hibernate-validator-5.2.4-3.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2020-10693", "notes":[ { "text":"A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:hibernate-validator-annotation-processor-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-cdi-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-performance-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-parent-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-javadoc-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-test-utils-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-5.2.4-3.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:hibernate-validator-annotation-processor-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-cdi-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-performance-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-parent-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-javadoc-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-test-utils-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-5.2.4-3.oe1.src" ], "details":"hibernate-validator security update", "category":"vendor_fix", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1138" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:hibernate-validator-annotation-processor-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-cdi-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-performance-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-parent-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-javadoc-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-test-utils-5.2.4-3.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-validator-5.2.4-3.oe1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2020-10693" } ] }