CVE-2017-7536

In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().

Published: Jan 10, 2018
Updated: Nov 8, 2023
CVE: CVE-2017-7536
GHSA: GHSA-xxgp-pcfc-3vgc
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Low
Score: 4.4
AV:L/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-470

Affected Software
References

Software	From	Fixed in
redhat / hibernate_validator	5.4.0	5.4.2
redhat / hibernate_validator	5.3.0	5.3.6
redhat / hibernate_validator	5.2.0	5.2.5
redhat / satellite	6.4	6.4.x
redhat / satellite_capsule	6.4	6.4.x
redhat / jboss_enterprise_application_platform	6.0.0	6.0.0.x
redhat / jboss_enterprise_application_platform	6.4.0	6.4.0.x
redhat / jboss_enterprise_application_platform	7.0	7.0.x
redhat / jboss_enterprise_application_platform	7.1	7.1.x
redhat / virtualization	4.0	4.0.x
redhat / virtualization_host	4.0	4.0.x
org.hibernate / hibernate-validator	5.2.0	5.2.5.Final
org.hibernate / hibernate-validator	5.3.0	5.3.6.Final
org.hibernate / hibernate-validator	5.4.0	5.4.2.Final

Vulnerability Database

289,599

CVE-2017-7536