{"id":"CVE-2020-10693","details":"A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.","aliases":["GHSA-rmrm-75hp-phr2"],"modified":"2026-03-14T09:48:22.373099Z","published":"2020-05-06T14:15:10.753Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hibernate/hibernate-validator","events":[{"introduced":"6464faa54e83bd9ed4ff1096e927bd67de20e4ad"},{"fixed":"4dc4cd3779c829ca8416caa498a2b790150b7688"},{"introduced":"334e271992ae6c3cb649fe3ea32bd6dd38c02685"},{"fixed":"8bd23be81cb7c34604b7ed401ac5d9045110681d"},{"introduced":"0"},{"last_affected":"2318f6e794b674dd1ef85e69cbc4d142c28d9020"}],"database_specific":{"versions":[{"introduced":"5.0.0"},{"fixed":"6.0.20"},{"introduced":"6.1.2"},{"fixed":"6.1.5"},{"introduced":"0"},{"last_affected":"7.0.0-alpha1"}]}},{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"last_affected":"4b5438d1f3e119732d3ffa14f9c2bb6da4a810b3"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.4.2"}]}}],"versions":["5.0.0.Final","5.0.1.Final","5.1.0.Alpha1","5.1.0.Beta1","5.1.0.CR1","5.1.0.Final","5.1.1.Final","5.2.0.Alpha1","5.2.0.Beta1","5.2.0.CR1","5.2.0.Final","5.2.1.Final","5.2.2.Final","5.3.0.Alpha1","6.0.0.Alpha1","6.0.0.Alpha2","6.0.0.Beta1","6.0.0.Beta2","6.0.0.CR1","6.0.0.CR2","6.0.0.CR3","6.0.1.Final","6.0.2.Final","6.0.3.Final","6.0.4.Final","6.0.5.Final","6.0.6.Final","6.0.7.Final","6.0.8.Final","6.0.9.Final","6.1.0.Alpha1","6.1.0.Alpha2","6.1.0.Alpha3","6.1.0.Alpha4","6.1.0.Alpha5","6.1.0.Alpha6","6.1.0.Final","6.1.1.Final","6.1.2.Final","7.0.0.Alpha1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"17.0.0.3"},{"last_affected":"20.0.0.10"}]},{"events":[{"introduced":"0"},{"last_affected":"7.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.8"}]},{"events":[{"introduced":"0"},{"last_affected":"6.8"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.1.0.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10693.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}