CVE-2023-1932
Cross-Site-Scripting (XSS) vulnerability in hibernate-validator (Maven)
What is CVE-2023-1932 About?
A flaw in hibernate-validator's `isValid` method (SafeHtmlValidator class) allows bypass of HTML sanitization by omitting the tag ending in a less-than character. This can lead to HTML injection or Cross-Site-Scripting (XSS) attacks. Exploitation is medium difficulty, requiring crafted input that circumvents the validator's incomplete checks.
Affected Software
- org.hibernate.validator:hibernate-validator
- <6.2.0.Final
- org.hibernate:hibernate-validator
- <6.2.0.Final
Technical Details
The vulnerability exists in the isValid method of the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class within hibernate-validator. The SafeHtmlValidator is designed to sanitize HTML to prevent injection attacks. However, it can be bypassed if an attacker omits the closing angle bracket ('>') of an HTML tag. This incomplete tag, when supplied as input, is incorrectly handled by the validator, allowing it to pass validation. Subsequently, when a browser renders this invalid HTML, it may still interpret the malicious content, leading to HTML injection or, more critically, Cross-Site-Scripting (XSS) attacks if JavaScript is embedded.
What is the Impact of CVE-2023-1932?
Successful exploitation may allow attackers to inject arbitrary HTML or client-side script code into web pages, leading to defacement, unauthorized access to user data (session hijacking), or phishing attacks.
What is the Exploitability of CVE-2023-1932?
Exploitation of this XSS bypass requires an attacker to submit specially crafted input that leverages the incomplete HTML tag detection in the SafeHtmlValidator. The complexity is moderate, as it requires knowledge of how browsers parse malformed HTML. Authentication and privilege requirements depend on where user input is accepted and validated; if publicly accessible without authentication, the risk is higher. This is primarily a remote exploit as it typically involves injecting malicious content through web forms or APIs. Risk factors include web applications that rely solely on hibernate-validator for HTML sanitization of user-supplied content without additional layers of defense.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-1932?
Available Upgrade Options
- org.hibernate:hibernate-validator
- <6.2.0.Final → Upgrade to 6.2.0.Final
- org.hibernate.validator:hibernate-validator
- <6.2.0.Final → Upgrade to 6.2.0.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/hibernate/hibernate-validator
- https://access.redhat.com/security/cve/CVE-2023-1932
- https://osv.dev/vulnerability/GHSA-x83m-pf6f-pf9g
- https://nvd.nist.gov/vuln/detail/CVE-2023-1932
- https://bugzilla.redhat.com/show_bug.cgi?id=1809444
- https://access.redhat.com/security/cve/CVE-2023-1932
- https://bugzilla.redhat.com/show_bug.cgi?id=1809444
What are Similar Vulnerabilities to CVE-2023-1932?
Similar Vulnerabilities: CVE-2021-21290 , CVE-2020-1748 , CVE-2022-22965 , CVE-2023-38501 , CVE-2023-28155
