[hibernate-issues] [JIRA] (HV-1498) Privilege escalation when running under the security manager

Travis Spencer (JIRA) jira at hibernate.atlassian.net
Tue Aug 11 04:26:36 EDT 2020 

Travis Spencer ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Acd6dedc4-6f51-4d21-9381-455579531682 ) *commented* on HV-1498 ( https://hibernate.atlassian.net/browse/HV-1498?atlOrigin=eyJpIjoiNjU4OGViZGYxNGRhNDliYTk4MmQ3MmE5NWVkMGNkM2YiLCJwIjoiaiJ9 )

Re: Privilege escalation when running under the security manager ( https://hibernate.atlassian.net/browse/HV-1498?atlOrigin=eyJpIjoiNjU4OGViZGYxNGRhNDliYTk4MmQ3MmE5NWVkMGNkM2YiLCJwIjoiaiJ9 )

The fix version is set to 5.2-next and I see this on the HEAD of the 5.2 branch, but I’m wondering what exact version of 5.2 is this fix in? On the NIST site ( https://nvd.nist.gov/vuln/detail/CVE-2017-7536 ) , the CVE says:

> 
> 
> 
> In Hibernate Validator 5.2.x before 5.2.5 final
> 
> 

This makes me think that 5.2.5 Final is not vulnerable. However, I don’t see it in the 5.2 changelog ( https://github.com/hibernate/hibernate-validator/blob/5.2/changelog.txt ) , so I’m confused. Fossa scan is also reporting 5.2.5 Final as vulnerable. Can you confirm the fix is in 5.2.5 Final or if there’s a 5.2.6 planned that will have this fix or if going to 5.3 (or 5.4) is the way to go?

( https://hibernate.atlassian.net/browse/HV-1498#add-comment?atlOrigin=eyJpIjoiNjU4OGViZGYxNGRhNDliYTk4MmQ3MmE5NWVkMGNkM2YiLCJwIjoiaiJ9 ) Add Comment ( https://hibernate.atlassian.net/browse/HV-1498#add-comment?atlOrigin=eyJpIjoiNjU4OGViZGYxNGRhNDliYTk4MmQ3MmE5NWVkMGNkM2YiLCJwIjoiaiJ9 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100142- sha1:98e8dd4 )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/hibernate-issues/attachments/20200811/7208d6a7/attachment.html

More information about the hibernate-issues mailing list