CVE-2019-10219

high-risk

Published 2019-11-08

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

Do I need to act?

1.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Hibernate Validator

Fuse

Jboss Data Grid

Jboss Enterprise Application Platform

Openshift Application Runtimes

Single Sign-On

Jboss Enterprise Application Platform

Active Iq Unified Manager

Management Services For Element Software And Netapp Hci

Snapcenter Plug-In

Element

Affected Vendors

Redhat Oracle Netapp

References (36)

Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0159

Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0160

Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0161

Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0164

Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0445

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219

https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74...

https://github.com/hibernate/hibernate-validator/commit/20d729548511ac5cff6fd459...

https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10...

https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-102...

https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901...

https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3...

https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415...

https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e40...

https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c09...

https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e220...

Third Party Advisory https://security.netapp.com/advisory/ntap-20220210-0024/

Third Party Advisory https://www.oracle.com/security-alerts/cpujan2022.html

Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0159

Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0160

and 16 more references

/ 100

high-risk

Severity 23/34 · High

Exploitability 4/34 · Minimal

Exposure 33/34 · Critical