SQL Injection Affecting org.hibernate:hibernate-core package, versions [,5.3.18.Final) [5.4.0.Final, 5.4.18.Final)

Attack Complexity

High
Confidentiality

High
Integrity

High
Availability

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-ORGHIBERNATE-584563
published

15 Jul 2020
disclosed

18 Jun 2020
credit

Gail Badner

Report a new vulnerability Found a mistake?

Introduced: 18 Jun 2020

CVE-2019-14900 Open this link in a new tab CWE-89 Open this link in a new tab

How to fix?

Upgrade org.hibernate:hibernate-core to version 5.3.18.Final, 5.4.18.Final or higher.

Overview

org.hibernate:hibernate-core is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.

Affected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

SQL Injection Affecting org.hibernate:hibernate-core package, versions [,5.3.18.Final) [5.4.0.Final, 5.4.18.Final)

Attack Complexity

Confidentiality

Integrity

Availability

snyk-id

published

disclosed

credit

Introduced: 18 Jun 2020

How to fix?

Overview

References