CVE-2014-3558

ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.

Published Bysecalert@redhat.com

Published DateSep 30, 2014, 14:55

Affected Versions(3)

org.hibernate:hibernate-validator(Maven)

Introduced4.1.0

Fixed4.2.1

LimitN/A

org.hibernate:hibernate-validator(Maven)

Introduced4.3.0

Fixed4.3.2

LimitN/A

org.hibernate:hibernate-validator(Maven)

Introduced5.0.0

Fixed5.1.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.hibernate:hibernate-validator(Maven)	4.1.0	4.2.1	N/A
org.hibernate:hibernate-validator(Maven)	4.3.0	4.3.2	N/A
org.hibernate:hibernate-validator(Maven)	5.0.0	5.1.2	N/A

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE

References

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE