CWE-470
AllowedUse of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Abstraction: Base · Status: Draft
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
111 vulnerabilities reference this CWE, most recent first.
GHSA-XXGP-PCFC-3VGC
Vulnerability from github – Published: 2020-06-15 19:57 – Updated: 2022-07-20 14:21In Hibernate Validator 5.2.x before 5.2.5.Final, 5.3.x before 5.3.6.Final, and 5.4.x before 5.4.2.Final, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.2.4.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.hibernate:hibernate-validator"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.5.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.3.5.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.hibernate:hibernate-validator"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.3.6.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.4.1.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.hibernate:hibernate-validator"
},
"ranges": [
{
"events": [
{
"introduced": "5.4.0"
},
{
"fixed": "5.4.2.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-7536"
],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-11T18:50:29Z",
"nvd_published_at": "2018-01-10T15:29:00Z",
"severity": "HIGH"
},
"details": "In Hibernate Validator 5.2.x before 5.2.5.Final, 5.3.x before 5.3.6.Final, and 5.4.x before 5.4.2.Final, it was found that when the security manager\u0027s reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().",
"id": "GHSA-xxgp-pcfc-3vgc",
"modified": "2022-07-20T14:21:17Z",
"published": "2020-06-15T19:57:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7536"
},
{
"type": "WEB",
"url": "https://github.com/hibernate/hibernate-validator/commit/0886e89900d343ea20fde5137c9a3086e6da9ac"
},
{
"type": "WEB",
"url": "https://github.com/hibernate/hibernate-validator/commit/0778a5c98b817771a645c6f4ba0b28dd8b5437b"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"
},
{
"type": "PACKAGE",
"url": "https://github.com/hibernate/hibernate-validator"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1465573"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3817"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2927"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2743"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2742"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2741"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2740"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3458"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3456"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3455"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3454"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3141"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2811"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2810"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2809"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2808"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101048"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039744"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Privilege Escalation in Hibernate Validator"
}
Mitigation
Refactor your code to avoid using reflection.
Mitigation
Do not use user-controlled inputs to select and load classes or code.
Mitigation
Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.
CAPEC-138: Reflection Injection
An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.