Source: libhibernate-validator-java Version: 5.3.6-3 Severity: important Tags: upstream Forwarded: https://hibernate.atlassian.net/browse/HV-1816 X-Debbugs-Cc: [email protected] Control: clone -1 -2 Control: reassign -2 src:libhibernate-validator4-java 4.3.4-7 Control: retitle -2 libhibernate-validator4-java: CVE-2025-35036
Hi, The following vulnerability was published for hibernate-validator. Note I'm filling this report to hope to get some help on properly assess this issue for the older versions in Debian. CVE-2025-35036[0]: | Hibernate Validator before 6.2.0 and 7.0.0, by default and depending | how it is used, may interpolate user-supplied input in a constraint | violation message with Expression Language. This could allow an | attacker to access sensitive information or execute arbitrary Java | code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer | interpolates custom constraint violation messages with Expression | Language and strongly recommends not allowing user-supplied input in | constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are | examples of related, downstream vulnerabilities involving Expression | Language intepolation of user-supplied data. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-35036 https://www.cve.org/CVERecord?id=CVE-2025-35036 [1] https://hibernate.atlassian.net/browse/HV-1816 [2] https://github.com/hibernate/hibernate-validator/pull/1138 Please adjust the affected versions in the BTS as needed. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
