Comment From: fmartinou
Hi,
It seems that Hibernate Validator 6.2.0.Final is affected by CVE-2020-10693 which has been fixed in 7.0.1.Final.
Are there any plans to upgrade the version in the Spring Boot 2.5.x BOM?
Comment From: wilkinsona
According to the CVE to which you have linked, 6.2.0.Final is not affected. It is only 6.0.x and certain versions of 6.1.x that are affected. Even if that were not the case, upgrading to 7.0.x would not be an option at this time I'm afraid. Hibernate Validator 7 implements the Bean Validation 3.0 specification that is part of Jakarta EE 9. Jakarta EE 9 moves all of its API from javax.* packages to jakarta.* packages and as such is a major breaking change. Support for Jakarta EE 9 is planned for Spring Framework 6 and Spring Boot 3.
Comment From: fmartinou
Thank you very much for your answer.
I'm still unsure regarding whether 6.2.0.Final is affected.
According to the nist, the version packaged by RH is affected:
And the same according to Sonatype OSSIndex
Comment From: wilkinsona
That table in the CVE is certainly confusing but I still believe that 6.2.0.Final isn't vulnerable. It was released in December 2020, some 7 months after the 6.0.x and 6.1.x releases that fixed the vulnerability. If you want to be certain about this, you should raise it with Red Hat and the Hibernate Validator team. https://hibernate.atlassian.net/browse/HV-1774 is the issue tracking the vulnerability.
Comment From: fmartinou
As you suggested, I'll ask the Hibernate Validator team, just to get the confirmation; thanks for your time!
Comment From: msymons
As you suggested, I'll ask the Hibernate Validator team, just to get the confirmation; thanks for your time!
I chased up with Sonatype and they have now updated their data to reflect that Hibernate Validator 6.2.0.Final is NOT affected by CVE-2020-10693.
Comment From: wilkinsona
That's great. Thanks very much, @msymons.