SQL Injection

Affecting org.hibernate:hibernate-core artifact, versions [,5.3.18.Final) || [5.4.0.Final, 5.4.18.Final)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.hibernate:hibernate-core is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.

Affected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

Remediation

Upgrade org.hibernate:hibernate-core to version 5.3.18.Final, 5.4.18.Final or higher.

References

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Gail Badner
CVE
CVE-2019-14900
CWE
CWE-89
Snyk ID
SNYK-JAVA-ORGHIBERNATE-584563
Disclosed
18 Jun, 2020
Published
15 Jul, 2020