Name | CVE-2014-3558 |
Description | ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 762690 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
libhibernate-validator-java (PTS) | jessie | 4.0.2.GA-8 | vulnerable |
| stretch | 4.3.3-1+deb9u1 | fixed |
| buster | 4.3.4-1 | fixed |
| bullseye | 5.3.6-1 | fixed |
| bookworm | 5.3.6-2 | fixed |
| sid, trixie | 5.3.6-3 | fixed |
The information below is based on the following data on fixed versions.
Notes
[jessie] - libhibernate-validator-java <no-dsa> (Only used as a build dependency for libhibernate3-java)
[wheezy] - libhibernate-validator-java <no-dsa> (Only used as a build dependency for libhibernate3-java)
[squeeze] - libhibernate-validator-java <no-dsa> (Only used as a build dependency for libhibernate3-java)
RedHat upgraded to new upstream versions in their security
updates. No patches are available for the 4.0.x branch we
have in Debian. Known fixed versions are 4.2.1, 4.3.2, and 5.1.2.
Upstream ticket: https://hibernate.atlassian.net/browse/HV-912