jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7d8412e76d
cvrf2cusa/cvrf/2021/cvrf-openEuler-SA-2021-1138.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

102 lines
6.2 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for hibernate-validator is now available for openEuler-20.03-LTS-SP1</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2021-1138</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2021-04-07</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2021-04-07</InitialReleaseDate>
<CurrentReleaseDate>2021-04-07</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2021-04-07</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">hibernate-validator security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for hibernate-validator is now available for openEuler-20.03-LTS-SP1.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">This is the reference implementation of JSR-349 - Bean Validation 1.1. Bean Validation defines a meta-data model and API for JavaBean as well as method validation. The default meta-data source are annotations, with the ability to override and extend the meta-data through the use of XML validation descriptors.
Security Fix(es):
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.(CVE-2020-10693)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for hibernate-validator is now available for openEuler-20.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">hibernate-validator</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1138</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-10693</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2020-10693</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="noarch">
<FullProductName ProductID="hibernate-validator-annotation-processor-5.2.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hibernate-validator-annotation-processor-5.2.4-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="hibernate-validator-cdi-5.2.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hibernate-validator-cdi-5.2.4-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="hibernate-validator-performance-5.2.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hibernate-validator-performance-5.2.4-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="hibernate-validator-5.2.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hibernate-validator-5.2.4-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="hibernate-validator-parent-5.2.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hibernate-validator-parent-5.2.4-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="hibernate-validator-javadoc-5.2.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hibernate-validator-javadoc-5.2.4-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="hibernate-validator-test-utils-5.2.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hibernate-validator-test-utils-5.2.4-3.oe1.noarch.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="hibernate-validator-5.2.4-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">hibernate-validator-5.2.4-3.oe1.src.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.</Note>
</Notes>
<ReleaseDate>2021-04-07</ReleaseDate>
<CVE>CVE-2020-10693</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Medium</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>5.3</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>hibernate-validator security update</Description>
<DATE>2021-04-07</DATE>
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1138</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink