{"id":"GHSA-rmrm-75hp-phr2","summary":"Improper Input Validation in Hibernate Validator","details":"A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.","aliases":["CVE-2020-10693"],"modified":"2025-09-12T21:06:54.702513Z","published":"2021-06-04T21:36:34Z","database_specific":{"github_reviewed_at":"2021-05-11T17:51:21Z","github_reviewed":true,"nvd_published_at":"2020-05-06T14:15:00Z","cwe_ids":["CWE-20"],"severity":"MODERATE"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10693"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E"},{"type":"WEB","url":"https://www.ibm.com/support/pages/node/6348216"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"affected":[{"package":{"name":"org.hibernate.validator:hibernate-validator","ecosystem":"Maven","purl":"pkg:maven/org.hibernate.validator/hibernate-validator"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.1.0.Final"},{"fixed":"6.1.5.Final"}]}],"versions":["6.1.0.Final","6.1.1.Final","6.1.2.Final","6.1.3.Final","6.1.4.Final"],"database_specific":{"last_known_affected_version_range":"\u003c= 6.1.4.Final","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-rmrm-75hp-phr2/GHSA-rmrm-75hp-phr2.json"}},{"package":{"name":"org.hibernate.validator:hibernate-validator","ecosystem":"Maven","purl":"pkg:maven/org.hibernate.validator/hibernate-validator"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.0.20.Final"}]}],"versions":["6.0.0.Alpha1","6.0.0.Alpha2","6.0.0.Beta1","6.0.0.Beta2","6.0.0.CR1","6.0.0.CR2","6.0.0.CR3","6.0.0.Final","6.0.1.Final","6.0.10.Final","6.0.11.Final","6.0.12.Final","6.0.13.Final","6.0.14.Final","6.0.15.Final","6.0.16.Final","6.0.17.Final","6.0.18.Final","6.0.19.Final","6.0.2.Final","6.0.3.Final","6.0.4.Final","6.0.5.Final","6.0.6.Final","6.0.7.Final","6.0.8.Final","6.0.9.Final"],"database_specific":{"last_known_affected_version_range":"\u003c= 6.0.19.Final","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-rmrm-75hp-phr2/GHSA-rmrm-75hp-phr2.json"}},{"package":{"name":"org.hibernate:hibernate-validator","ecosystem":"Maven","purl":"pkg:maven/org.hibernate/hibernate-validator"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.1.0.Final"},{"fixed":"6.1.5.Final"}]}],"versions":["6.1.0.Final","6.1.1.Final","6.1.2.Final","6.1.3.Final","6.1.4.Final"],"database_specific":{"last_known_affected_version_range":"\u003c= 6.1.4.Final","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-rmrm-75hp-phr2/GHSA-rmrm-75hp-phr2.json"}},{"package":{"name":"org.hibernate:hibernate-validator","ecosystem":"Maven","purl":"pkg:maven/org.hibernate/hibernate-validator"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.0.20.Final"}]}],"versions":["3.0.0.GA","3.0.0.ga","3.1.0.CR1","3.1.0.CR2","3.1.0.GA","4.0.0.Alpha1","4.0.0.Alpha2","4.0.0.Alpha3","4.0.0.Beta1","4.0.0.Beta2","4.0.0.Beta3","4.0.0.CR1","4.0.0.GA","4.0.1.GA","4.0.2.GA","4.1.0.Beta1","4.1.0.Beta2","4.1.0.CR1","4.1.0.Final","4.2.0.Beta1","4.2.0.Beta2","4.2.0.CR1","4.2.0.Final","4.3.0.Alpha1","4.3.0.Beta1","4.3.0.CR1","4.3.0.Final","4.3.1.Final","4.3.2.Final","5.0.0.Alpha1","5.0.0.Alpha2","5.0.0.Beta1","5.0.0.CR1","5.0.0.CR2","5.0.0.CR3","5.0.0.CR4","5.0.0.CR5","5.0.0.Final","5.0.1.Final","5.0.2.Final","5.0.3.Final","5.1.0.Alpha1","5.1.0.Beta1","5.1.0.CR1","5.1.0.Final","5.1.1.Final","5.1.2.Final","5.1.3.Final","5.2.0.Alpha1","5.2.0.Beta1","5.2.0.CR1","5.2.0.Final","5.2.1.Final","5.2.2.Final","5.2.3.Final","5.2.4.Final","5.2.5.Final","5.3.0.Alpha1","5.3.0.CR1","5.3.0.Final","5.3.1.Final","5.3.2.Final","5.3.3.Final","5.3.4.Final","5.3.5.Final","5.3.6.Final","5.4.0.Beta1","5.4.0.CR1","5.4.0.Final","5.4.1.Final","5.4.2.Final","5.4.3.Final","6.0.0.Alpha1","6.0.0.Alpha2","6.0.0.Beta1","6.0.0.Beta2","6.0.0.CR1","6.0.0.CR2","6.0.0.CR3","6.0.0.Final","6.0.1.Final","6.0.10.Final","6.0.11.Final","6.0.12.Final","6.0.13.Final","6.0.14.Final","6.0.15.Final","6.0.16.Final","6.0.17.Final","6.0.18.Final","6.0.19.Final","6.0.2.Final","6.0.3.Final","6.0.4.Final","6.0.5.Final","6.0.6.Final","6.0.7.Final","6.0.8.Final","6.0.9.Final"],"database_specific":{"last_known_affected_version_range":"\u003c= 6.0.19.Final","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-rmrm-75hp-phr2/GHSA-rmrm-75hp-phr2.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}