A vulnerability was found in hibernate-validator. The SafeHtml validator fails to properly sanitize payloads. This could result in an XSS attack.
Acknowledgments: Name: Dominik Mizyn (Samsung R&D Institute Poland)
Statement: Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it is being deprecated and is only receiving security fixes for Important and Critical flaws.
This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 5 * Red Hat Enterprise Application Platform 6 * Red Hat JBoss Operations Network 3 * Red Hat JBoss BPM Suite 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss BRMS 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss SOA Platform 5 * JBoss Developer Studio 11 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Hello, which versions of hibernate-validator are affected? What is the fixing commit? I cannot find any recent commits regarding SafeHTML in https://github.com/hibernate/hibernate-validator Thanks
I looked for an usage of SafeHtml and there is no occurrence in the source code so marking RHDM and RHPAM as affected just on existence of hibernate-validator jar or dependency is invalid. Searched the annotation class in sources: "org.hibernate.validator.constraints.SafeHtml"
@Marek, Thank you for looking into it. I am closing the trackers created for RHDM/PAM and marking them as not affected.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0164
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0159
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0161
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0160
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10219
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:0445 https://access.redhat.com/errata/RHSA-2020:0445
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
This issue has been addressed in the following products: Red Hat Data Grid 7.3.6 Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
This comment was flagged a spam, view the edit history to see the original text if required.