Bug 1809444 (CVE-2023-1932) - CVE-2023-1932 hibernate-validator: rendering of invalid html with SafeHTML leads to HTML injection and XSS
Summary: CVE-2023-1932 hibernate-validator: rendering of invalid html with SafeHTML le...
Status: NEW
Alias: CVE-2023-1932
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 1817514
Blocks: 1809442
TreeView+ depends on / blocked
Reported: 2020-03-03 07:07 UTC by Dhananjay Arunesh
Modified: 2024-02-08 07:22 UTC (History)
114 users (show)

Fixed In Version: hibernate-validator 6.2, hibernate-validator 7.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-03-03 07:07:53 UTC
A vulnerability was found in hibernate-validator version 6.1.2.Final, where the  method 'isValid' in the class org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator can by bypassed by omitting the tag end (less than sign). Browsers typically still render the invalid html which leads to attacks like HTML injection and Cross-Site-Scripting.

Comment 6 Cedric Buissart 2020-05-22 14:06:23 UTC

hibernate-validator is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However, because ODL is technical preview in this version and the flaw is moderate, Red Hat will not be releasing a fix for the OpenStack package at this time.

Supported versions of Satellite 6 embed vulnerable versions of hibernate-validator inside the candlepin component. However, the vulnerable functionality, SafeHtmlValidator, is not in use and therefore it is not possible to exploit it.

Note You need to log in before you can comment on or make changes to this bug.