CVE assigned for vulnerability in hibernate-validator


Krzysztof Opasiak
 

Hi,

This is a note and warning about a vulnerability in hibernate-validator
(CVE-2019-10219). The SafeHtml validator fails to properly sanitize
payloads. This could result in an XSS attack[1].

The vulnerability has not been fixed yet which means that even the
newest versions of hibernate-validator is vulnerable and all projects
that use it should consider it as a known vulnerability.

This is the bug that I've been mentioning for quite some time during
SECCOM meetings as discovered by one of my team members and reported to
Red Hat but couldn't share any details due to standard 90 embargo period.

I hope that the bug is going to be fixed soon and a simple upgrade of
this library should fix the issue.

Footnotes:
1 - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219

Best regards,
--
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics

Join onap-seccom@lists.onap.org to automatically receive all group messages.