We have identified a small vulnerability in Hibernate Validator which is used in at least WildFly and JBoss EAP. https://issues.jboss.org/browse/WFLY-5223 [Open URL] https://hibernate.atlassian.net/browse/HV-1012 [Open URL] The vulnerability is in the dependency jsoup. Our understanding is that the likely vector OS that : - an app developer guards a field as safe html via Hibernate Validator - a malicious user sends a non safe html snippet not properly detected - the application then uses the html believing it is safe.
CVE assignment: http://www.openwall.com/lists/oss-security/2015/08/28/5
This issue has been addressed in the following products: Via RHSA-2015:2560 https://rhn.redhat.com/errata/RHSA-2015-2560.html
This issue has been addressed in the following products: Via RHSA-2015:2559 https://rhn.redhat.com/errata/RHSA-2015-2559.html