Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThncmctcTk0NC1jY2g1

Moderate EPSS: 0.01224% (0.78281 Percentile) EPSS:
Permalink JSON

SQL Injection in Hibernate ORM

Affected Packages Affected Versions Fixed Versions
maven:org.hibernate:hibernate-core >= 5.5.0.Alpha1, < 5.5.0.Beta1, >= 5.4.0, < 5.4.18, < 5.3.18 5.5.0.Beta1, 5.4.18, 5.3.18
3,469 Dependent packages
145,451 Dependent repositories

Affected Version Ranges

All affected versions

4.1.2, 5.4.33, 5.5.6

All unaffected versions

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

References:

Identifiers

GHSA-8grg-q944-cch5

CVE-2019-14900

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.01224

EPSS Percentile: 0.78281

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/hibernate/hibernate-orm

Date and time

Published

over 3 years ago

Updated

about 1 year ago

API

JSON