SCA: security update for org.hibernate.validator:hibernate-validator (GHSA-7v6m-28jr-rg84)

medium Tenable Cloud Security Plugin ID 428718

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-
supplied input in a constraint violation message with Expression Language. This could allow an attacker to
access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no
longer interpolates custom constraint violation messages with Expression Language and strongly recommends
not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are
examples of related, downstream vulnerabilities involving Expression Language intepolation of user-
supplied data. (CVE-2025-35036)

See Also

https://github.com/advisories/GHSA-7v6m-28jr-rg84

Plugin Details

Severity: Medium

ID: 428718

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 8/4/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.8

Percentile: 22.59

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-35036

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/3/2025

Vulnerability Publication Date: 6/3/2025

Reference Information

CVE: CVE-2025-35036

cwe: CWE-94