CVE-2014-3558

NameCVE-2014-3558
DescriptionReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs762690

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libhibernate-validator-java (PTS)jessie4.0.2.GA-8vulnerable
stretch4.3.3-1+deb9u1fixed
buster4.3.4-1fixed
bullseye5.3.6-1fixed
bookworm5.3.6-2fixed
sid, trixie5.3.6-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libhibernate-validator-javasource(unstable)4.2.1-2low762690

Notes

[jessie] - libhibernate-validator-java <no-dsa> (Only used as a build dependency for libhibernate3-java)
[wheezy] - libhibernate-validator-java <no-dsa> (Only used as a build dependency for libhibernate3-java)
[squeeze] - libhibernate-validator-java <no-dsa> (Only used as a build dependency for libhibernate3-java)
RedHat upgraded to new upstream versions in their security
updates. No patches are available for the 4.0.x branch we
have in Debian. Known fixed versions are 4.2.1, 4.3.2, and 5.1.2.
Upstream ticket: https://hibernate.atlassian.net/browse/HV-912

Search for package or bug name: Reporting problems