Bug 1738673 (CVE-2019-10219) - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS [NEEDINFO]
Summary: CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10219
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1745487
Blocks: 1713386
TreeView+ depends on / blocked
 
Reported: 2019-08-07 20:04 UTC by Laura Pardo
Modified: 2024-02-21 07:58 UTC (History)
110 users (show)

Fixed In Version: hibernate-validator 6.0.18.Final, hibernate-validator 6.1.0.Final
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
Clone Of:
Environment:
Last Closed: 2020-01-21 08:09:36 UTC
Embargoed:
paroda2093: needinfo? (alazarot)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0159 0 None None None 2020-01-21 02:56:20 UTC
Red Hat Product Errata RHSA-2020:0160 0 None None None 2020-01-21 03:46:28 UTC
Red Hat Product Errata RHSA-2020:0161 0 None None None 2020-01-21 03:21:40 UTC
Red Hat Product Errata RHSA-2020:0164 0 None None None 2020-01-21 02:23:46 UTC
Red Hat Product Errata RHSA-2020:0445 0 None None None 2020-02-06 08:35:16 UTC
Red Hat Product Errata RHSA-2020:2067 0 None None None 2020-05-18 10:26:03 UTC
Red Hat Product Errata RHSA-2020:2321 0 None None None 2020-05-26 16:09:20 UTC
Red Hat Product Errata RHSA-2020:5568 0 None None None 2020-12-16 12:12:29 UTC

Description Laura Pardo 2019-08-07 20:04:39 UTC
A vulnerability was found in hibernate-validator. The SafeHtml validator fails to properly sanitize payloads. This could result in an XSS attack.

Comment 1 Laura Pardo 2019-08-07 20:04:49 UTC
Acknowledgments:

Name: Dominik Mizyn (Samsung R&D Institute Poland)

Comment 2 Summer Long 2019-08-08 03:27:47 UTC
Statement:

Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it is being deprecated and is only receiving security fixes for Important and Critical flaws.

Comment 3 Jason Shepherd 2019-08-08 05:58:13 UTC
This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 4 Joshua Padman 2019-08-12 01:49:58 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 5
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Operations Network 3
 * Red Hat JBoss BPM Suite 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss BRMS 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss SOA Platform 5
 * JBoss Developer Studio 11

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 5 Joshua Padman 2019-08-12 01:51:07 UTC
This vulnerability is out of security support scope for the following product:
* Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 14 Markus Koschany 2019-09-10 17:25:35 UTC
Hello,

which versions of hibernate-validator are affected? What is the fixing commit? I cannot find any recent commits regarding SafeHTML in https://github.com/hibernate/hibernate-validator

Thanks

Comment 20 Marek Novotny 2019-12-13 07:11:56 UTC
I looked for an usage of SafeHtml and there is no occurrence in the source code so marking RHDM and RHPAM as affected just on existence of hibernate-validator jar or dependency is invalid.

Searched the annotation class in sources:
"org.hibernate.validator.constraints.SafeHtml"

Comment 21 Paramvir jindal 2019-12-13 14:38:57 UTC
@Marek, Thank you for looking into it. I am closing the trackers created for RHDM/PAM and marking them as not affected.

Comment 23 errata-xmlrpc 2020-01-21 02:23:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164

Comment 24 errata-xmlrpc 2020-01-21 02:56:16 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159

Comment 25 errata-xmlrpc 2020-01-21 03:21:37 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161

Comment 26 errata-xmlrpc 2020-01-21 03:46:24 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160

Comment 27 Product Security DevOps Team 2020-01-21 08:09:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10219

Comment 32 errata-xmlrpc 2020-02-06 08:35:07 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445

Comment 38 errata-xmlrpc 2020-05-18 10:25:54 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067

Comment 39 errata-xmlrpc 2020-05-26 16:09:15 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.6

Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321

Comment 40 errata-xmlrpc 2020-12-16 12:12:18 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568

Comment 41 humburgerlive 2023-11-20 08:53:30 UTC
In certain cases, the safeHTML validator in Hibernate Validator failed to adequately sanitize user input, which is the cause of CVE-2019-10219. By doing so, an attacker could be able to get around the safeHTML https://minicrossword.io validation and insert malicious HTML or script code into an application

Cross-site scripting (XSS) attacks, in which the injected code is executed in the context of other users accessing the affected application, may result from the program's improper handling or sanitization of this input. I visited the road RHSA-2020:0160 to learn more: https://access.redhat.com/errata/RHSA-2020:0160

Comment 42 Olivia 2024-02-21 07:58:12 UTC
It seems like you are questioning the validity of marking RHDM and RHPAM as affected solely based on the presence of the hibernate-validator jar or dependency without finding any usage of SafeHtml in the source code. You have searched for the annotation class "https://contextogame.io/ Html " in the sources.


Note You need to log in before you can comment on or make changes to this bug.