What is CVE-2020-10693?

CVE-2020-10693 is a medium-severity vulnerability in Hibernate Hibernate-validator, classified under Improper Input Validation. CVSS score: 5.3/10. Published 2020-05-06.

How severe is CVE-2020-10693?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Is CVE-2020-10693 known to be exploited?

8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Improper input validation in Hibernate Hibernate-validator

CVE-2020-10693

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.023 (81.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.

Affected products

Hibernate Hibernate-validator — versions 6.1.2.Final
Ibm Websphere_application_server
Oracle Weblogic_server — versions 14.1.1.0.0
Quarkus
Redhat Enterprise_linux — versions 6.0, 7.0, 8.0
Redhat Hibernate_validator — versions 7.0.0
Redhat Jboss_enterprise_application_platform — versions 7.2.0, 7.3.0
Redhat Satellite — versions 6.8
Redhat Satellite_capsule — versions 6.8

Weakness classification (CWE)

CWE-20 — Improper Input Validation

Public proof-of-concept exploits

References

secalert@redhat.com (mailing-list, x_refsource_MLIST)
secalert@redhat.com (mailing-list, x_refsource_MLIST)
secalert@redhat.com (mailing-list, x_refsource_MLIST)
secalert@redhat.com (Patch, Third Party Advisory, x_refsource_MISC)
secalert@redhat.com (x_refsource_CONFIRM, Third Party Advisory, Issue Tracking)

Frequently asked questions

What is CVE-2020-10693?: CVE-2020-10693 is a medium-severity vulnerability in Hibernate Hibernate-validator, classified under Improper Input Validation. CVSS score: 5.3/10. Published 2020-05-06.
How severe is CVE-2020-10693?: Medium severity. CVSS v3 base score is 5.3 out of 10.
Is CVE-2020-10693 known to be exploited?: 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.