CVE-2020-25638 — SQL Injection in Hibernate ORM
Severity
7.4HIGHNVD
EPSS
0.8%
top 25.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 2
Latest updateApr 15
Description
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2
Affected Packages4 packages
Also affects: Debian Linux 10.0, 9.0
Patches
🔴Vulnerability Details
4CVEList
▶
OSV
▶
📋Vendor Advisories
6Oracle▶
Oracle Oracle Utilities Applications Risk Matrix: General (hibernate-core) — CVE-2020-25638↗2024-04-15
Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Core (JBoss Enterprise Application Platform) — CVE-2020-25638↗2023-04-15
Oracle
▶
Oracle
▶
Red Hat▶
hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used↗2020-10-01
💬Community
1Bugzilla▶
CVE-2020-25638 hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used↗2020-09-22