CVE-2020-10693
Bypass vulnerability in hibernate-validator (Maven)
What is CVE-2020-10693 About?
This flaw in Hibernate Validator allows for invalid Expression Language (EL) expressions to be evaluated, bypassing input sanitation controls. The impact is primarily on the integrity and security of error messages, potentially leading to information disclosure or further exploitation. Exploitation requires user-controlled data to be processed within error messages, making it moderately complex.
Affected Software
- org.hibernate.validator:hibernate-validator
- <6.0.20.Final
- >6.1.0.Final, <6.1.5.Final
- org.hibernate:hibernate-validator
- <6.0.20.Final
- >6.1.0.Final, <6.1.5.Final
Technical Details
A bug in Hibernate Validator version 6.1.2.Final's message interpolation processor causes it to incorrectly evaluate invalid EL expressions. When user-controlled data, which may contain malicious EL syntax, is incorporated into error messages, the validator's sanitation controls are bypassed. This vulnerability allows the attacker to inject and execute arbitrary EL expressions, circumventing developer-implemented measures to escape or strip potentially dangerous input in error message contexts. This can lead to information leakage or RCE if the EL expressions can invoke dangerous methods.
What is the Impact of CVE-2020-10693?
Successful exploitation may allow attackers to bypass input sanitation controls, enabling the evaluation of malicious expressions and potentially leading to information disclosure or arbitrary code execution.
What is the Exploitability of CVE-2020-10693?
Exploitation necessitates that an attacker can provide user-controlled input that is subsequently used within error messages processed by Hibernate Validator. The complexity of crafting effective EL expressions for exploitation can vary. There are no explicit authentication or privilege requirements beyond the ability to submit data that triggers an error message. Access is typically remote, as the attacker interacts with the application's input fields. The risk factors include applications that display detailed error messages incorporating user input without sufficient sanitization, making the application vulnerable to EL injection.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-10693?
Available Upgrade Options
- org.hibernate:hibernate-validator
- <6.0.20.Final → Upgrade to 6.0.20.Final
- org.hibernate:hibernate-validator
- >6.1.0.Final, <6.1.5.Final → Upgrade to 6.1.5.Final
- org.hibernate.validator:hibernate-validator
- <6.0.20.Final → Upgrade to 6.0.20.Final
- org.hibernate.validator:hibernate-validator
- >6.1.0.Final, <6.1.5.Final → Upgrade to 6.1.5.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693
- https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E
- https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E
- https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2020-10693
- https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-10693?
Similar Vulnerabilities: CVE-2020-11116 , CVE-2019-10086 , CVE-2018-1000613 , CVE-2017-1000487
