CVE-2019-10219

Home/CVE/A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads

CVE

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

MEDIUM · CVSS 6.1 EPSS 0.01674

Monitor

No active-exploitation, high-EPSS, or public-exploit signals - routine patching cadence

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

▤

Affected Products & Versions

redhat hibernate validator< 6.0.18
redhat hibernate validatorall versions
redhat fuseall versions
redhat jboss data gridall versions
redhat jboss enterprise application platformall versions
redhat openshift application runtimesall versions
redhat single sign-onall versions
netapp active iq unified managerall versions
Show all 27 affected productsnetapp management services for element software and netapp hciall versions
netapp snapcenter plug-inall versions
netapp elementall versions
oracle access managerall versions
oracle agile engineering data managementall versions
oracle agile plmall versions
oracle agile product lifecycle analyticsall versions
oracle agile product lifecycle management integration packall versions
oracle airlines data modelall versions
oracle application expressall versions
oracle application performance managementall versions
oracle application testing suiteall versions
oracle argus analyticsall versions
oracle argus insightall versions
oracle argus safetyall versions
oracle banking apisall versions
oracle banking deposits and lines of credit servicingall versions
oracle banking digital experienceall versions
oracle banking enterprise default managementall versions

▤

Affected Packages

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

Maven org.hibernate.validator:hibernate-validator MODERATE fixed in 6.1.0.Alpha6

Maven org.hibernate:hibernate-validator MODERATE fixed in 6.1.0.Alpha6

▣

Scoring & Timeline

6.1

MEDIUM · CVSS v3.1 · secalert@redhat.com

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD08 Nov 2019 · 03:15 PM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

⚑

Vendor Advisories

rhsaRHSA-2020:4366Important
rhsaRHSA-2020:5568Important
rhsaRHSA-2020:2067Important
rhsaRHSA-2020:0445Moderate
rhsaRHSA-2020:2321Important
Show all 9 vendor advisoriesrhsaRHSA-2020:0161Important
rhsaRHSA-2020:0164Important
rhsaRHSA-2020:0160Important
rhsaRHSA-2020:0159Important

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219Issue TrackingThird Party Advisory

https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56cee

https://github.com/hibernate/hibernate-validator/commit/20d729548511ac5cff6fd459f93de137195420fe

https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10219

https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-10219/exploit

https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E

Show all 14 references

https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3E

https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3E

https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E

https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E

https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E

https://security.netapp.com/advisory/ntap-20220210-0024/Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.htmlThird Party Advisory

https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin