Bug 1738673 (CVE-2019-10219) - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS
Summary: CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10219
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1745487
Blocks: 1713386
TreeView+ depends on / blocked
 
Reported: 2019-08-07 20:04 UTC by Laura Pardo
Modified: 2020-05-26 16:09 UTC (History)
109 users (show)

Fixed In Version: hibernate-validator 6.0.18.Final, hibernate-validator 6.1.0.Final
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
Clone Of:
Environment:
Last Closed: 2020-01-21 08:09:36 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0159 None None None 2020-01-21 02:56:20 UTC
Red Hat Product Errata RHSA-2020:0160 None None None 2020-01-21 03:46:28 UTC
Red Hat Product Errata RHSA-2020:0161 None None None 2020-01-21 03:21:40 UTC
Red Hat Product Errata RHSA-2020:0164 None None None 2020-01-21 02:23:46 UTC
Red Hat Product Errata RHSA-2020:0445 None None None 2020-02-06 08:35:16 UTC
Red Hat Product Errata RHSA-2020:2067 None None None 2020-05-18 10:26:03 UTC
Red Hat Product Errata RHSA-2020:2321 None None None 2020-05-26 16:09:20 UTC

Description Laura Pardo 2019-08-07 20:04:39 UTC
A vulnerability was found in hibernate-validator. The SafeHtml validator fails to properly sanitize payloads. This could result in an XSS attack.

Comment 1 Laura Pardo 2019-08-07 20:04:49 UTC
Acknowledgments:

Name: Dominik Mizyn (Samsung R&D Institute Poland)

Comment 2 Summer Long 2019-08-08 03:27:47 UTC
Statement:

Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it is being deprecated and is only receiving security fixes for Important and Critical flaws.

Comment 3 Jason Shepherd 2019-08-08 05:58:13 UTC
This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 4 Joshua Padman 2019-08-12 01:49:58 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 5
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Operations Network 3
 * Red Hat JBoss BPM Suite 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss BRMS 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss SOA Platform 5
 * JBoss Developer Studio 11

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 5 Joshua Padman 2019-08-12 01:51:07 UTC
This vulnerability is out of security support scope for the following product:
* Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 14 Markus Koschany 2019-09-10 17:25:35 UTC
Hello,

which versions of hibernate-validator are affected? What is the fixing commit? I cannot find any recent commits regarding SafeHTML in https://github.com/hibernate/hibernate-validator

Thanks

Comment 20 Marek Novotny 2019-12-13 07:11:56 UTC
I looked for an usage of SafeHtml and there is no occurrence in the source code so marking RHDM and RHPAM as affected just on existence of hibernate-validator jar or dependency is invalid.

Searched the annotation class in sources:
"org.hibernate.validator.constraints.SafeHtml"

Comment 21 Paramvir jindal 2019-12-13 14:38:57 UTC
@Marek, Thank you for looking into it. I am closing the trackers created for RHDM/PAM and marking them as not affected.

Comment 23 errata-xmlrpc 2020-01-21 02:23:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164

Comment 24 errata-xmlrpc 2020-01-21 02:56:16 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159

Comment 25 errata-xmlrpc 2020-01-21 03:21:37 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161

Comment 26 errata-xmlrpc 2020-01-21 03:46:24 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160

Comment 27 Product Security DevOps Team 2020-01-21 08:09:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10219

Comment 32 errata-xmlrpc 2020-02-06 08:35:07 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445

Comment 38 errata-xmlrpc 2020-05-18 10:25:54 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067

Comment 39 errata-xmlrpc 2020-05-26 16:09:15 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.6

Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321


Note You need to log in before you can comment on or make changes to this bug.