Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
0

CVE-2019-10219

Disclosure Date: November 08, 2019
CVE-2019-10219 CVSS v3 Base Score: 6.1
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
6.1 Medium
Impact Score:
2.7
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
hibernate-validator n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • netapp,
  • oracle,
  • redhat

Products

  • access manager 11.1.2.3.0,
  • access manager 12.2.1.3.0,
  • access manager 12.2.1.4.0,
  • active iq unified manager -,
  • agile engineering data management 6.2.1.0,
  • agile plm 9.3.3,
  • agile plm 9.3.6,
  • agile product lifecycle analytics 3.6.1,
  • agile product lifecycle management integration pack 3.6,
  • airlines data model 12.1.1.0.0,
  • airlines data model 12.2.0.1.0,
  • application express 21.1.4,
  • application performance management 13.4.1.0,
  • application performance management 13.5.1.0,
  • application testing suite 13.3.0.1,
  • argus analytics 8.2.1,
  • argus analytics 8.2.2,
  • argus analytics 8.2.3,
  • argus analytics 8.21,
  • argus insight 8.2.1,
  • argus insight 8.2.2,
  • argus insight 8.2.3,
  • argus safety 8.2.1,
  • argus safety 8.2.2,
  • argus safety 8.2.3,
  • banking apis 18.1,
  • banking apis 18.2,
  • banking apis 18.3,
  • banking apis 19.1,
  • banking apis 19.2,
  • banking apis 20.1,
  • banking apis 21.1,
  • banking deposits and lines of credit servicing 2.12.0,
  • banking digital experience 17.2,
  • banking digital experience 18.1,
  • banking digital experience 18.3,
  • banking digital experience 19.1,
  • banking digital experience 19.2,
  • banking digital experience 20.1,
  • banking digital experience 21.1,
  • banking enterprise default management 2.10.0,
  • banking enterprise default management 2.12.0,
  • banking enterprise default management 2.6.2,
  • banking enterprise default management 2.7.0,
  • banking enterprise default management 2.7.1,
  • banking enterprise default managment,
  • banking loans servicing 2.12.0,
  • banking party management 2.7.0,
  • banking platform,
  • banking platform 2.6.2,
  • banking platform 2.7.0,
  • banking platform 2.7.1,
  • bi publisher 11.1.1.9.0,
  • bi publisher 12.2.1.3.0,
  • bi publisher 12.2.1.4.0,
  • bi publisher 5.5.0.0.0,
  • big data spatial and graph 23.1,
  • business activity monitoring 12.2.1.4.0,
  • business intelligence 12.2.1.3.0,
  • business intelligence 12.2.1.4.0,
  • business intelligence 5.5.0.0.0,
  • business intelligence 5.9.0.0.0,
  • business process management suite 12.2.1.3.0,
  • business process management suite 12.2.1.4.0,
  • clinical 5.2.1,
  • clinical 5.2.2,
  • commerce guided search 11.3.2,
  • commerce platform,
  • communications application session controller 3.9.0,
  • communications billing and revenue management 12.0.0.3,
  • communications billing and revenue management 12.0.0.4,
  • communications billing and revenue management elastic charging engine 11.3,
  • communications billing and revenue management elastic charging engine 12.0,
  • communications calendar server 8.0.0.5.0,
  • communications calendar server 8.0.0.6.0,
  • communications cloud native core automated test suite 1.8.0,
  • communications cloud native core binding support function 1.10.0,
  • communications cloud native core binding support function 1.9.0,
  • communications cloud native core console 1.7.0,
  • communications cloud native core network function cloud native environment 1.9.0,
  • communications cloud native core network repository function 1.14.0,
  • communications cloud native core policy 1.14.0,
  • communications cloud native core security edge protection proxy 1.15.0,
  • communications cloud native core security edge protection proxy 1.5.0,
  • communications cloud native core security edge protection proxy 1.6.0,
  • communications cloud native core service communication proxy 1.14.0,
  • communications cloud native core unified data repository 1.14.0,
  • communications contacts server 8.0.0.3.0,
  • communications converged application server - service controller 6.2,
  • communications convergence 3.0.2.2.0,
  • communications convergent charging controller,
  • communications convergent charging controller 6.0.1.0.0,
  • communications data model 11.3.2.1.0,
  • communications data model 11.3.2.2.0,
  • communications data model 11.3.2.3.0,
  • communications data model 12.1.0.1.0,
  • communications data model 12.1.2.0.0,
  • communications design studio 7.3.4,
  • communications design studio 7.3.5,
  • communications design studio 7.4.0,
  • communications design studio 7.4.1,
  • communications design studio 7.4.2,
  • communications diameter signaling route,
  • communications eagle application processor,
  • communications instant messaging server 10.0.1.5.0,
  • communications interactive session recorder 6.3,
  • communications interactive session recorder 6.4,
  • communications messaging server 8.1,
  • communications metasolv solution 6.3.1,
  • communications network charging and control,
  • communications network charging and control 6.0.1.0.0,
  • communications network integrity 7.3.5,
  • communications network integrity 7.3.6,
  • communications offline mediation controller 12.0.0.3,
  • communications operations monitor 3.4,
  • communications operations monitor 4.2,
  • communications operations monitor 4.3,
  • communications operations monitor 4.4,
  • communications operations monitor 5.0,
  • communications pricing design center 12.0.0.3.0,
  • communications pricing design center 12.0.0.4.0,
  • communications service broker 6.2,
  • communications services gatekeeper 7.0,
  • communications session border controller 8.2,
  • communications session border controller 8.3,
  • communications session border controller 8.4,
  • communications session border controller 9.0,
  • communications unified inventory management 7.3.0,
  • communications unified inventory management 7.3.4,
  • communications unified inventory management 7.3.5,
  • communications unified inventory management 7.4.0,
  • communications unified inventory management 7.4.1,
  • communications unified inventory management 7.4.2,
  • communications unified inventory management 7.5.0,
  • communications webrtc session controller 7.2.0,
  • communications webrtc session controller 7.2.1,
  • data integrator 12.2.1.3.0,
  • data integrator 12.2.1.4.0,
  • database server 12.1.0.1,
  • database server 12.1.0.2,
  • database server 19c,
  • database server 21c,
  • demantra demand management,
  • documaker,
  • e-business suite,
  • element -,
  • enterprise communications broker 3.3,
  • enterprise data quality 12.2.1.3.0,
  • enterprise data quality 12.2.1.4.0,
  • enterprise manager base platform 13.4.0.0,
  • enterprise manager base platform 13.5.0.0,
  • enterprise manager ops center 12.4.0.0,
  • enterprise session border controller 8.4,
  • enterprise session border controller 9.0,
  • essbase,
  • essbase 11.1.2.4.47,
  • essbase administration services,
  • essbase administration services 11.1.2.4.47,
  • financial services analytical applications infrastructure,
  • financial services analytical applications infrastructure 7.3.3,
  • financial services behavior detection platform 8.0.11,
  • financial services behavior detection platform 8.0.7,
  • financial services behavior detection platform 8.0.8,
  • financial services enterprise case management 8.0.11,
  • financial services enterprise case management 8.0.7,
  • financial services enterprise case management 8.0.8,
  • financial services foreign account tax compliance act management 8.0.11,
  • financial services foreign account tax compliance act management 8.0.7,
  • financial services foreign account tax compliance act management 8.0.8,
  • financial services model management and governance,
  • financial services trade-based anti money laundering 8.0.7,
  • financial services trade-based anti money laundering 8.0.8,
  • flexcube investor servicing 12.0.4,
  • flexcube investor servicing 12.1.0,
  • flexcube investor servicing 12.3.0,
  • flexcube investor servicing 12.4.0,
  • flexcube investor servicing 14.4.0,
  • flexcube investor servicing 14.5.0,
  • flexcube private banking 12.0.0,
  • flexcube private banking 12.1.0,
  • fujitsu m10-1 firmware -,
  • fujitsu m10-4 firmware -,
  • fujitsu m10-4s firmware -,
  • fujitsu m12-1 firmware -,
  • fujitsu m12-2 firmware -,
  • fujitsu m12-2s firmware -,
  • fuse 1.0,
  • fusion middleware 12.2.1.3.0,
  • fusion middleware 12.2.1.4.0,
  • fusion middleware mapviewer 12.2.1.4.0,
  • goldengate,
  • goldengate application adapters 19.1.0.0.0,
  • graalvm 20.3.4,
  • graalvm 21.3.0,
  • graph server and client,
  • health sciences clinical development analytics 4.0.1,
  • health sciences inform crf submit 6.2.1,
  • health sciences information manager 3.0.2,
  • health sciences information manager 3.0.3,
  • healthcare data repository 7.0.2,
  • healthcare data repository 8.1.0,
  • healthcare data repository 8.1.1,
  • healthcare foundation,
  • healthcare foundation 8.1.0,
  • healthcare foundation 8.1.1,
  • healthcare translational research 4.1.0,
  • hibernate validator,
  • hibernate validator 6.1.0,
  • hospitality cruise shipboard property management system 20.1.0,
  • hospitality opera 5 property services 5.6,
  • hospitality reporting and analytics 9.1.0,
  • hospitality suite8 8.10.2,
  • hospitality suite8 8.11.0,
  • hospitality suite8 8.12.0,
  • hospitality suite8 8.13.0,
  • hospitality suite8 8.14.0,
  • http server 12.2.1.3.0,
  • http server 12.2.1.4.0,
  • hyperion financial management 11.1.2.4,
  • hyperion financial management 11.2.6.0,
  • hyperion ilearning 6.2,
  • hyperion ilearning 6.3,
  • hyperion infrastructure technology 11.2.7.0,
  • instantis enterprisetrack 17.1,
  • instantis enterprisetrack 17.2,
  • instantis enterprisetrack 17.3,
  • insurance data gateway 11.0.2,
  • insurance data gateway 11.1.0,
  • insurance data gateway 11.2.7,
  • insurance data gateway 11.3.0,
  • insurance data gateway 11.3.1,
  • insurance insbridge rating and underwriting,
  • insurance insbridge rating and underwriting 5.2.0,
  • insurance policy administration 11.0.2,
  • insurance policy administration 11.1.0,
  • insurance policy administration 11.2.7,
  • insurance policy administration 11.3.0,
  • insurance policy administration 11.3.1,
  • insurance policy administration j2ee,
  • insurance policy administration j2ee 10.2.0,
  • insurance policy administration j2ee 10.2.4,
  • insurance policy administration j2ee 11.0.2,
  • insurance rules palette,
  • insurance rules palette 10.2.0,
  • insurance rules palette 10.2.4,
  • insurance rules palette 11.0.2,
  • insurance rules palette 11.3.1,
  • java se 17.1,
  • java se 7u321,
  • java se 8u311,
  • jboss data grid -,
  • jboss enterprise application platform -,
  • jboss enterprise application platform 7.2,
  • jboss enterprise application platform 7.3,
  • jd edwards enterpriseone orchestrator,
  • jdk 11.0.13,
  • managed file transfer 12.2.1.3.0,
  • managed file transfer 12.2.1.4.0,
  • management services for element software and netapp hci -,
  • mysql cluster,
  • mysql connectors,
  • mysql connectors 8.0.27,
  • mysql server,
  • mysql server 5.7.36,
  • mysql workbench,
  • nosql database,
  • openshift application runtimes -,
  • oss support tools,
  • peoplesoft enterprise cs sa integration pack 9.0,
  • peoplesoft enterprise cs sa integration pack 9.2,
  • peoplesoft enterprise people tools 8.57,
  • peoplesoft enterprise people tools 8.58,
  • peoplesoft enterprise people tools 8.59,
  • peoplesoft enterprise peopletools 8.57,
  • peoplesoft enterprise peopletools 8.58,
  • policy automation,
  • policy automation 10.4.7,
  • primavera analytics 18.8.3.3,
  • primavera analytics 19.12.11.1,
  • primavera analytics 20.12.12.0,
  • primavera data warehouse 18.8.3.3,
  • primavera data warehouse 19.12.11.1,
  • primavera data warehouse 20.12.12.0,
  • primavera gateway,
  • primavera gateway 21.12.0,
  • primavera p6 enterprise project portfolio management,
  • primavera p6 enterprise project portfolio management 21.12.0.0,
  • primavera p6 professional project management,
  • primavera portfolio management,
  • primavera portfolio management 20.0.0.0,
  • primavera portfolio management 20.0.0.1,
  • primavera unifier,
  • primavera unifier 18.8,
  • primavera unifier 19.12,
  • primavera unifier 20.12,
  • primavera unifier 21.12,
  • rapid planning,
  • real user experience insight 13.4.1.0,
  • real user experience insight 13.5.1.0,
  • real-time decision server 3.2.0.0,
  • rest data services 21.2.4,
  • retail allocation 14.1.3.2,
  • retail allocation 15.0.3.1,
  • retail allocation 16.0.3,
  • retail allocation 19.0.1,
  • retail analytics,
  • retail assortment planning 16.0.3,
  • retail back office 14.1,
  • retail central office 14.1,
  • retail customer insights,
  • retail customer management and segmentation foundation,
  • retail eftlink 16.0.3,
  • retail eftlink 17.0.2,
  • retail eftlink 18.0.1,
  • retail eftlink 19.0.1,
  • retail eftlink 20.0.1,
  • retail extract transform and load 13.2.8,
  • retail financial integration 14.1.3.2,
  • retail financial integration 15.0.3.1,
  • retail financial integration 16.0.3,
  • retail financial integration 19.0.1,
  • retail fiscal management 14.2,
  • retail integration bus,
  • retail integration bus 13.0,
  • retail integration bus 14.1.3.0,
  • retail integration bus 14.1.3.2,
  • retail integration bus 15.0.3.1,
  • retail integration bus 19.0.0,
  • retail integration bus 19.0.1,
  • retail invoice matching 15.0.3,
  • retail invoice matching 16.0.3,
  • retail merchandising system 19.0.1,
  • retail order broker 16.0,
  • retail order broker 18.0,
  • retail order broker 19.1,
  • retail order management system 19.5,
  • retail point-of-sale 14.1,
  • retail predictive application server 14.1.3,
  • retail predictive application server 14.1.3.46,
  • retail predictive application server 15.0.3,
  • retail predictive application server 15.0.3.115,
  • retail predictive application server 16.0.3,
  • retail predictive application server 16.0.3.240,
  • retail price management 13.2,
  • retail price management 14.0.4,
  • retail price management 14.1,
  • retail price management 14.1.3,
  • retail price management 15.0,
  • retail price management 15.0.3,
  • retail price management 16.0,
  • retail price management 16.0.3,
  • retail returns management 14.1,
  • retail service backbone,
  • retail service backbone 14.1.3.0,
  • retail service backbone 14.1.3.2,
  • retail service backbone 15.0.3.1,
  • retail service backbone 19.0.0,
  • retail service backbone 19.0.1,
  • retail size profile optimization 16.0.3,
  • retail xstore point of service 17.0.4,
  • retail xstore point of service 18.0.3,
  • retail xstore point of service 19.0.2,
  • retail xstore point of service 20.0.1,
  • sd-wan aware 8.2,
  • sd-wan edge 9.0,
  • sd-wan edge 9.1,
  • secure backup 18.1.0.1.0,
  • siebel applications,
  • single sign-on -,
  • snapcenter plug-in -,
  • solaris 10,
  • solaris 11,
  • spatial studio 21.2.1,
  • thesaurus management system 5.2.3,
  • thesaurus management system 5.3.0,
  • thesaurus management system 5.3.1,
  • timesten in-memory database,
  • utilities framework,
  • utilities framework 4.2.0.2.0,
  • utilities framework 4.2.0.3.0,
  • utilities framework 4.4.0.0.0,
  • utilities framework 4.4.0.2.0,
  • utilities framework 4.4.0.3.0,
  • utilities testing accelerator 6.0.0.1.1,
  • utilities testing accelerator 6.0.0.2.2,
  • utilities testing accelerator 6.0.0.3.1,
  • vm virtualbox,
  • webcenter portal 12.2.1.3.0,
  • webcenter portal 12.2.1.4.0,
  • weblogic server 12.1.3.0.0,
  • weblogic server 12.2.1.3.0,
  • weblogic server 12.2.1.4.0,
  • weblogic server 14.1.1.0.0,
  • zfs storage appliance kit 8.8,
  • zfs storage application integration engineering software 1.3.3

References

Canonical
CVE-2019-10219 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10219)
Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219
[accumulo-notifications] 20200108 [GitHub] [accumulo] milleruntime opened a new pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219 (https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E)
[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime closed pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219 (https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6@%3Cnotifications.accumulo.apache.org%3E)
[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime commented on issue #1469: Update hibernate-validator. Fixes CVE-2019-10219 (https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d@%3Cnotifications.accumulo.apache.org%3E)
https://access.redhat.com/errata/RHSA-2020:0164
https://access.redhat.com/errata/RHSA-2020:0159
https://access.redhat.com/errata/RHSA-2020:0160
https://access.redhat.com/errata/RHSA-2020:0161
https://access.redhat.com/errata/RHSA-2020:0445
[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219 (https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E)
[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219 (https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E)
[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219 (https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E)
https://security.netapp.com/advisory/ntap-20220210-0024/
Miscellaneous
https://www.oracle.com/security-alerts/cpujan2022.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis