An update for hibernate-validator is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1138 Final 1.0 1.0 2021-04-07 Initial 2021-04-07 2021-04-07 openEuler SA Tool V1.0 2021-04-07 hibernate-validator security update An update for hibernate-validator is now available for openEuler-20.03-LTS-SP1. This is the reference implementation of JSR-349 - Bean Validation 1.1. Bean Validation defines a meta-data model and API for JavaBean as well as method validation. The default meta-data source are annotations, with the ability to override and extend the meta-data through the use of XML validation descriptors. Security Fix(es): A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.(CVE-2020-10693) An update for hibernate-validator is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium hibernate-validator https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1138 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-10693 https://nvd.nist.gov/vuln/detail/CVE-2020-10693 openEuler-20.03-LTS-SP1 hibernate-validator-annotation-processor-5.2.4-3.oe1.noarch.rpm hibernate-validator-cdi-5.2.4-3.oe1.noarch.rpm hibernate-validator-performance-5.2.4-3.oe1.noarch.rpm hibernate-validator-5.2.4-3.oe1.noarch.rpm hibernate-validator-parent-5.2.4-3.oe1.noarch.rpm hibernate-validator-javadoc-5.2.4-3.oe1.noarch.rpm hibernate-validator-test-utils-5.2.4-3.oe1.noarch.rpm hibernate-validator-5.2.4-3.oe1.src.rpm A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. 2021-04-07 CVE-2020-10693 openEuler-20.03-LTS-SP1 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N hibernate-validator security update 2021-04-07 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1138