CVE-2020-10693 — MEDIUM (5.3)

Q: How severe is CVE-2020-10693?

CVE-2020-10693 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-10693?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Hibernate Validator, Ibm Websphere Application Server, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux, Redhat Satellite.

Vulnerability Description

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Redhat	Hibernate Validator	>= 5.0.0, < 6.0.20
Ibm	Websphere Application Server	>= 17.0.0.3, <= 20.0.0.10
Redhat	Jboss Enterprise Application Platform	7.2.0
Redhat	Enterprise Linux	6.0
Redhat	Satellite	6.8
Redhat	Satellite Capsule	6.8
Quarkus	Quarkus	<= 1.4.2
Oracle	Weblogic Server	14.1.1.0.0

Related Weaknesses (CWE)

CWE-20

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693Issue TrackingThird Party Advisory
https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e40
https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c09
https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e220
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693Issue TrackingThird Party Advisory
https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e40
https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c09
https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e220
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2020-10693?

CVE-2020-10693 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attacke...

How severe is CVE-2020-10693?

CVE-2020-10693 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-10693?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Hibernate Validator, Ibm Websphere Application Server, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux, Redhat Satellite.