[GHSA-m8p2-495h-ccmh] The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks #5791
Conversation
github-actions
bot
changed the base branch from
main
to
poc-effectiveness/advisory-improvement-5791
|
We have already confirmed with Red Hat regarding the affected versions of hibernate-validator, and the corresponding changes have been made as documented in the CVE record: https://www.cve.org/CVERecord?id=CVE-2019-10219. Please let us know if there are any further updates or actions required. |
|
Hi, We’ve confirmed the issue with the corresponding CNA. It would mean a lot to us if this could be confirmed, as it would be a great encouragement for our ongoing research. Please let us know if there’s anything else needed. 
|
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
advisory-database
bot
merged commit e92ab03
into
poc-effectiveness/advisory-improvement-5791
|
Hi @poc-effectiveness! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
advisory-database
bot
deleted the
poc-effectiveness-GHSA-m8p2-495h-ccmh
branch
Updates
Comments
Based on our analysis of commits and testing, we have confirmed that this vulnerability is present in the following versions which are not reported in GitHub Advisory Database:
6.0.0.Alpha1 through 6.0.17.Final
We reached out to the corresponding CNA by email regarding this issue, but no reply has been received so far.
[Reasons]
The issue was fixed in version 6.0.18.Final, as indicated by the following commit:
hibernate/hibernate-validator@20d7295
We examine all available versions of org.hibernate.validator:hibernate-validator listed on Maven Repository to ensure no affected versions are overlooked.
https://mvnrepository.com/artifact/org.hibernate.validator/hibernate-validator
We have developed and tested PoCs that reliably reproduce the vulnerability in all the affected versions listed above.
For 6.0.0.Alpha1 to 6.0.4.Final, the pocs are: https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10219
For other versions, the pocs are: https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-10219/exploit
Please let us know if any additional information or evidence is required.