Bug 1809444 (CVE-2023-1932)

Summary: CVE-2023-1932 hibernate-validator: rendering of invalid html with SafeHTML leads to HTML injection and XSS
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, aileenc, akoufoud, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, cmoulliard, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, eaguilar, ebaron, eglynn, ehelms, fjuma, gmalinko, gsmet, gvarsami, hhudgeon, ibek, ikanello, ivassile, iweiss, janstey, jawilson, jbalunas, jcoleman, jjoyce, jkang, jochrist, jolee, jpallich, jperkins, jrokos, jross, jschatte, jschluet, jscholz, jsherril, jstastny, jwon, kverlaen, kwills, ldimaggi, lgao, lhh, loleary, lpeer, lsvaty, lthon, lzap, mburns, mgarciac, mhulan, mkolesni, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nmoumoul, nwallace, orabin, pcreech, pdelbell, pdrozd, peholase, pgallagh, pgrist, pjindal, pmackay, pskopek, psotirop, rchan, rfreire, rguimara, rjerrido, rkieley, rowaters, rruss, rstancel, rsvoboda, rwagner, sclewis, scohen, scorneli, sdaley, security-response-team, sfroberg, slinaber, smaestri, sokeeffe, sthorger, swoodman, tcunning, theute, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: hibernate-validator 6.2, hibernate-validator 7.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1817514    
Bug Blocks: 1809442    

Description Dhananjay Arunesh 2020-03-03 07:07:53 UTC
A vulnerability was found in hibernate-validator version 6.1.2.Final, where the  method 'isValid' in the class org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator can by bypassed by omitting the tag end (less than sign). Browsers typically still render the invalid html which leads to attacks like HTML injection and Cross-Site-Scripting.

Comment 6 Cedric Buissart 2020-05-22 14:06:23 UTC

hibernate-validator is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However, because ODL is technical preview in this version and the flaw is moderate, Red Hat will not be releasing a fix for the OpenStack package at this time.

Supported versions of Satellite 6 embed vulnerable versions of hibernate-validator inside the candlepin component. However, the vulnerable functionality, SafeHtmlValidator, is not in use and therefore it is not possible to exploit it.