Hazzik

**Name of the Vulnerable Software and Affected Versions** NHibernate versions prior to 5.4.9 NHibernate versions prior to 5.5.2 **Description** A SQL injection vulnerability exists in some types implementing `ILiteralType.ObjectToSQLString`. This vulnerability affects callers of these methods, including mappings using inheritance with discriminator values, HQL queries referencing a static field of the application, users of the `SqlInsertBuilder` and `SqlUpdateBuilder` utilities, and any direct use of the `ObjectToSQLString` methods for building SQL queries on the user side. **Recommendations** For NHibernate versions prior to 5.4.9, update to version 5.4.9 or later to resolve the issue. For NHibernate versions prior to 5.5.2, update to version 5.5.2 or later to resolve the issue. As a temporary workaround, ensure the application does not use the features listed above, such as mappings using inheritance with discriminator values and HQL queries referencing a static field of the application. For discriminator usages, ensure the discriminator values in the mappings do not contain quotes for string discriminators, and ensure the used values cannot allow culture exploits. Consider restricting the use of the `SqlInsertBuilder` and `SqlUpdateBuilder` utilities until the issue is resolved.