CVE-2019-14900SQL Injection in Hibernate ORM

CWE-89SQL Injection7 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
1.8%
top 17.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Hibernate ORMRedhat FuseQuarkus+4 more
Timeline
PublishedJul 6
Latest updateFeb 10

Description

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

NVDhibernate/hibernate_orm5.4.05.4.18+1
CVEListV5hibernate/hibernate_ormVersions before Hibernate ORM 5.3.18, Versions before Hibernate ORM 5.4.18, Versions before Hibernate ORM 5.5.0.Beta1+2
NVDredhat/fuse< 7.8.0
NVDquarkus/quarkus1.5.2
NVDredhat/openstack10, 13, 14+2

🔴Vulnerability Details

3
GHSA
SQL Injection in Hibernate ORM2022-02-10
OSV
SQL Injection in Hibernate ORM2022-02-10
CVEList
CVE-2019-14900: A flaw was found in Hibernate ORM in versions before 52020-07-06

📋Vendor Advisories

2
Red Hat
hibernate: SQL injection issue in Hibernate ORM2020-05-12
Debian
CVE-2019-14900: libhibernate3-java - A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Be...2019

💬Community

1
Bugzilla
CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM2019-01-15
CVE-2019-14900 — SQL Injection in Hibernate ORM | cvebase