CVE assigned for vulnerability in hibernate-validator

Krzysztof Opasiak


This is a note and warning about a vulnerability in hibernate-validator
(CVE-2019-10219). The SafeHtml validator fails to properly sanitize
payloads. This could result in an XSS attack[1].

The vulnerability has not been fixed yet which means that even the
newest versions of hibernate-validator is vulnerable and all projects
that use it should consider it as a known vulnerability.

This is the bug that I've been mentioning for quite some time during
SECCOM meetings as discovered by one of my team members and reported to
Red Hat but couldn't share any details due to standard 90 embargo period.

I hope that the bug is going to be fixed soon and a simple upgrade of
this library should fix the issue.

1 -

Best regards,
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics

Join to automatically receive all group messages.