hibernate-validator-6.0.22.Final.jar: 1 vulnerabilities (highest severity is: 6.1)

[mend-for-github-com]

Vulnerable Library - hibernate-validator-6.0.22.Final.jar

Hibernate's Bean Validation (JSR-380) reference implementation.

Library home page: http://hibernate.org/validator

Path to dependency file: /appclient/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (hibernate-validator version)	Remediation Possible**	Reachability
CVE-2023-1932	Medium	6.1	hibernate-validator-6.0.22.Final.jar	Direct	6.2.0.CR1	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-1932

Vulnerable Library - hibernate-validator-6.0.22.Final.jar

Hibernate's Bean Validation (JSR-380) reference implementation.

Library home page: http://hibernate.org/validator

Path to dependency file: /appclient/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.0.22.Final/hibernate-validator-6.0.22.Final.jar

Dependency Hierarchy:

• ❌ hibernate-validator-6.0.22.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A vulnerability was found in hibernate-validator version 6.1.2.Final, where the method 'isValid' in the class org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator can by bypassed by omitting the tag end (less than sign). Browsers typically still render the invalid html which leads to attacks like HTML injection and Cross-Site-Scripting.

Publish Date: 2023-04-07

URL: CVE-2023-1932

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1809444

Release Date: 2023-04-07

Fix Resolution: 6.2.0.CR1

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.