cvelistv5 - CVE-2023-1932

CVE-2023-1932

Vulnerability from cvelistv5

Published
2024-11-07 10:00
Modified
2024-11-07 14:09
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Hibernate-validator: rendering of invalid html with safehtml leads to html injection and xss
References
▼	URL	Tags
	secalert@redhat.com	https://access.redhat.com/security/cve/CVE-2023-1932
	secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=1809444
Impacted products
▼	Vendor	Product
	Red Hat	A-MQ Clients 2
	Red Hat	Cryostat 2
	Red Hat	Red Hat AMQ Broker 7
	Red Hat	Red Hat A-MQ Online
	Red Hat	Red Hat BPM Suite 6
	Red Hat	Red Hat CodeReady Studio 12
	Red Hat	Red Hat Data Grid 8
	Red Hat	Red Hat Decision Manager 7
	Red Hat	Red Hat Fuse 7
	Red Hat	Red Hat JBoss BRMS 5
	Red Hat	Red Hat JBoss Data Grid 7
	Red Hat	Red Hat JBoss Data Virtualization 6
	Red Hat	Red Hat JBoss Enterprise Application Platform 5
	Red Hat	Red Hat JBoss Enterprise Application Platform 6
	Red Hat	Red Hat JBoss Enterprise Application Platform 7
	Red Hat	Red Hat JBoss Enterprise Application Platform Continuous Delivery
	Red Hat	Red Hat JBoss Fuse 6
	Red Hat	Red Hat JBoss Fuse Service Works 6
	Red Hat	Red Hat JBoss Operations Network 3
	Red Hat	Red Hat JBoss SOA Platform 5
	Red Hat	Red Hat OpenStack Platform 10 (Newton)
	Red Hat	Red Hat OpenStack Platform 13 (Queens)
	Red Hat	Red Hat Process Automation 7
	Red Hat	Red Hat Satellite 6
	Red Hat	Red Hat Single Sign-On 7
	Red Hat	Red Hat support for Spring Boot
	Red Hat	streams for Apache Kafka
Show details on NVD website
JSON
To clipboard
{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1932",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-07T14:09:13.280925Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-07T14:09:26.936Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:a_mq_clients:2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j-log4j",
          "product": "A-MQ Clients 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:cryostat:2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "hibernate-validator",
          "product": "Cryostat 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:amq_broker:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "hibernate-validator",
          "product": "Red Hat AMQ Broker 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:amq_online:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.enmasse-enmasse",
          "product": "Red Hat A-MQ Online",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat BPM Suite 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_developer_studio:12."
          ],
          "defaultStatus": "affected",
          "packageName": "hibernate-validator",
          "product": "Red Hat CodeReady Studio 12",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "hibernate-validator",
          "product": "Red Hat Data Grid 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat Decision Manager 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat Fuse 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss BRMS 5",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Data Grid 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_data_virtualization:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Data Virtualization 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:5"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Enterprise Application Platform 5",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Enterprise Application Platform 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7"
          ],
          "defaultStatus": "affected",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Enterprise Application Platform 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_cd"
          ],
          "defaultStatus": "affected",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Enterprise Application Platform Continuous Delivery",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Fuse 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse_service_works:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Fuse Service Works 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_operations_network:3"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Operations Network 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_soa_platform:5"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss SOA Platform 5",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:10"
          ],
          "defaultStatus": "unknown",
          "packageName": "opendaylight",
          "product": "Red Hat OpenStack Platform 10 (Newton)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:13"
          ],
          "defaultStatus": "affected",
          "packageName": "opendaylight",
          "product": "Red Hat OpenStack Platform 13 (Queens)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:satellite:6"
          ],
          "defaultStatus": "affected",
          "packageName": "candlepin",
          "product": "Red Hat Satellite 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7"
          ],
          "defaultStatus": "affected",
          "packageName": "hibernate-validator",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_application_runtimes:1.0"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat support for Spring Boot",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:amq_streams:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "hibernate-validator",
          "product": "streams for Apache Kafka",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Christian Kistner (SySS GmbH) and Moritz Bechler (SySS GmbH) for reporting this issue."
        }
      ],
      "datePublic": "2024-02-07T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in hibernate-validator\u0027s \u0027isValid\u0027 method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-07T10:00:51.745Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-1932"
        },
        {
          "name": "RHBZ#1809444",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1809444"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2020-02-27T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-02-07T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Hibernate-validator: rendering of invalid html with safehtml leads to html injection and xss"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-1932",
    "datePublished": "2024-11-07T10:00:51.745Z",
    "dateReserved": "2023-04-06T20:10:01.569Z",
    "dateUpdated": "2024-11-07T14:09:26.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-1932\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2024-11-07T10:15:04.507\",\"lastModified\":\"2024-11-07T14:35:02.567\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in hibernate-validator\u0027s \u0027isValid\u0027 method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una falla en el m\u00e9todo \u0027isValid\u0027 de hibernate-validator en la clase org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator, que se puede evitar omitiendo la etiqueta que termina en un car\u00e1cter menor que. Los navegadores pueden mostrar un c\u00f3digo HTML no v\u00e1lido, lo que permite la inyecci\u00f3n de HTML o ataques de Cross-Site-Scripting (XSS).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2023-1932\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1809444\",\"source\":\"secalert@redhat.com\"}]}}"
  }
}
Action not permitted

CVE-2023-1932

Vulnerability from cvelistv5

ghsa-x83m-pf6f-pf9g

Vulnerability from github

gsd-2023-1932

Vulnerability from gsd

Tags
