CVE-2017-7536

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().

References

http://www.securityfocus.com/bid/101048

http://www.securitytracker.com/id/1039744

https://access.redhat.com/errata/RHSA-2017:2808

https://access.redhat.com/errata/RHSA-2017:2809

https://access.redhat.com/errata/RHSA-2017:2810

https://access.redhat.com/errata/RHSA-2017:2811

https://access.redhat.com/errata/RHSA-2017:3141

https://access.redhat.com/errata/RHSA-2017:3454

https://access.redhat.com/errata/RHSA-2017:3455

https://access.redhat.com/errata/RHSA-2017:3456

https://access.redhat.com/errata/RHSA-2017:3458

https://access.redhat.com/errata/RHSA-2018:2740

https://access.redhat.com/errata/RHSA-2018:2741

https://access.redhat.com/errata/RHSA-2018:2742

https://access.redhat.com/errata/RHSA-2018:2743

https://access.redhat.com/errata/RHSA-2018:2927

https://access.redhat.com/errata/RHSA-2018:3817

https://bugzilla.redhat.com/show_bug.cgi?id=1465573

Details

Source: MITRE

Published: 2018-01-10

Updated: 2019-10-03

Type: CWE-470

Risk Information

CVSS v2

Base Score: 4.4

Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 3.4

Severity: MEDIUM

CVSS v3

Base Score: 7

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1

Severity: HIGH

Tenable Plugins

View all (10 total)

IDNameProductFamilySeverity
118185RHEL 7 : Satellite Server (RHSA-2018:2927)NessusRed Hat Local Security Checks
critical
117772RHEL 6 : JBoss EAP (RHSA-2018:2743)NessusRed Hat Local Security Checks
high
117771RHEL 7 : JBoss EAP (RHSA-2018:2741)NessusRed Hat Local Security Checks
high
105269RHEL 7 : JBoss EAP (RHSA-2017:3455)NessusRed Hat Local Security Checks
critical
105268RHEL 6 : JBoss EAP (RHSA-2017:3454)NessusRed Hat Local Security Checks
critical
105252RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2017:3458)NessusRed Hat Local Security Checks
critical
104493RHEL 7 : rhvm-appliance (RHSA-2017:3141)NessusRed Hat Local Security Checks
critical
103527RHEL 6 : JBoss EAP (RHSA-2017:2809)NessusRed Hat Local Security Checks
critical
103526RHEL 7 : JBoss EAP (RHSA-2017:2808)NessusRed Hat Local Security Checks
critical
103500RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2017:2811)NessusRed Hat Local Security Checks
critical