VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 7, 2024· Updated Nov 7, 2024

Hibernate-validator: rendering of invalid html with safehtml leads to html injection and xss

CVE-2023-1932

Description

A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.hibernate.validator:hibernate-validatorMaven
< 6.2.0.Final6.2.0.Final
org.hibernate:hibernate-validatorMaven
< 6.2.0.Final6.2.0.Final

Affected products

29
  • Red Hat/Red Hat AMQ Broker 7v5
    cpe:/a:redhat:amq_broker:7
  • Red Hat/A-MQ Clients 2v5
    cpe:/a:redhat:a_mq_clients:2
  • Red Hat/Red Hat A-MQ Onlinev5
    cpe:/a:redhat:amq_online:1
  • Red Hat/streams for Apache Kafkav5
    cpe:/a:redhat:amq_streams:1
  • Red Hat/Cryostat 2v5
    cpe:/a:redhat:cryostat:2
  • Red Hat/Red Hat JBoss Data Grid 7v5
    cpe:/a:redhat:jboss_data_grid:7
  • Red Hat/Red Hat Data Grid 8v5
    cpe:/a:redhat:jboss_data_grid:8
  • Red Hat/Jboss Data Virtualizationcpe-rescue
    cpe:/a:redhat:jboss_data_virtualization:6
  • Red Hat/Red Hat CodeReady Studio 12v5
    cpe:/a:redhat:jboss_developer_studio:12.
  • Red Hat/Jboss Enterprise Application Platformcpe-rescue4 versions
    cpe:/a:redhat:jboss_enterprise_application_platform:5+ 3 more
    • cpe:/a:redhat:jboss_enterprise_application_platform:5
    • cpe:/a:redhat:jboss_enterprise_application_platform:6
    • cpe:/a:redhat:jboss_enterprise_application_platform:7
    • cpe:/a:redhat:jboss_enterprise_application_platform_cd
  • Red Hat/Jboss Bpm Suitecpe-rescue
    cpe:/a:redhat:jboss_enterprise_bpms_platform:6
  • Red Hat/Process Automationcpe-rescue
    cpe:/a:redhat:jboss_enterprise_bpms_platform:7
  • Red Hat/JBoss BRMScpe-rescue
    cpe:/a:redhat:jboss_enterprise_brms_platform:5
  • Red Hat/Red Hat Decision Manager 7v5
    cpe:/a:redhat:jboss_enterprise_brms_platform:7
  • Red Hat/Jboss Enterprise Soa Platformcpe-rescue
    cpe:/a:redhat:jboss_enterprise_soa_platform:5
  • Red Hat/Red Hat JBoss Fuse 6v5
    cpe:/a:redhat:jboss_fuse:6
  • Red Hat/Red Hat Fuse 7v5
    cpe:/a:redhat:jboss_fuse:7
  • Red Hat/Jboss Fuse Service Workscpe-rescue
    cpe:/a:redhat:jboss_fuse_service_works:6
  • Red Hat/Jboss Operations Networkcpe-rescue
    cpe:/a:redhat:jboss_operations_network:3
  • Red Hat/Red Hat support for Spring Bootv5
    cpe:/a:redhat:openshift_application_runtimes:1.0
  • Red Hat/Openstackcpe-rescue2 versions
    cpe:/a:redhat:openstack:10+ 1 more
    • cpe:/a:redhat:openstack:10
    • cpe:/a:redhat:openstack:13
  • Red Hat/Single Sign Oncpe-rescue
    cpe:/a:redhat:red_hat_single_sign_on:7
  • Red Hat/Satellitecpe-rescue
    cpe:/a:redhat:satellite:6
  • ghsa-coords2 versions
    pkg:maven/org.hibernate/hibernate-validatorpkg:maven/org.hibernate.validator/hibernate-validator
    < 6.2.0.Final+ 1 more
    • (no CPE)range: < 6.2.0.Final
    • (no CPE)range: < 6.2.0.Final

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.