Vulnerability Description
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Hibernate Validator | < 6.0.18 |
| Redhat | Fuse | 1.0 |
| Redhat | Jboss Data Grid | - |
| Redhat | Jboss Enterprise Application Platform | - |
| Redhat | Openshift Application Runtimes | - |
| Redhat | Single Sign-On | - |
| Redhat | Enterprise Linux | 6.0 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Management Services For Element Software And Netapp Hci | - |
| Netapp | Snapcenter Plug-In | - |
| Netapp | Element | - |
| Oracle | Access Manager | 11.1.2.3.0 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Agile Plm | 9.3.3 |
| Oracle | Agile Product Lifecycle Analytics | 3.6.1 |
| Oracle | Agile Product Lifecycle Management Integration Pack | 3.6 |
| Oracle | Airlines Data Model | 12.1.1.0.0 |
| Oracle | Application Express | 21.1.4 |
| Oracle | Application Performance Management | 13.4.1.0 |
| Oracle | Application Testing Suite | 13.3.0.1 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2020:0159Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0160Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0161Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0164Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219Issue TrackingThird Party Advisory
- https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74
- https://github.com/hibernate/hibernate-validator/commit/20d729548511ac5cff6fd459
- https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10
- https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-102
- https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901
- https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3
- https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415
- https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e40
- https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c09
FAQ
What is CVE-2019-10219?
CVE-2019-10219 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This...
How severe is CVE-2019-10219?
CVE-2019-10219 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-10219?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Hibernate Validator, Redhat Fuse, Redhat Jboss Data Grid, Redhat Jboss Enterprise Application Platform, Redhat Openshift Application Runtimes.