PT-2020-6584 · Unknown+4 · Hibernate-Core+4

Published

2020-09-16

Updated

2025-04-23

CVE-2020-25638

CVSS v2.0

8.8

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions hibernate-core versions prior to and including 5.4.23.Final

Description A flaw was found in the implementation of the JPA Criteria API, which can permit unsanitized literals when a literal is used in the SQL comments of the query, allowing an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this issue is to data confidentiality and integrity.

Recommendations For versions prior to and including 5.4.23.Final, update to a version later than 5.4.23.Final to resolve the issue. As a temporary workaround, consider restricting the use of literals in SQL comments to minimize the risk of exploitation.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

BDU:2022-00307

CVE-2020-25638

DLA-2512-1

DSA-4908-1

GHSA-J8JW-G6FQ-MP7H

RHSA-2020:5175

RHSA-2020:5340

RHSA-2020:5341

RHSA-2020:5342

RHSA-2021:2561

RHSA-2025:9582

SUSE-SU-2022:0225-1

SUSE-SU-2022:0593-1

USN-6845-1

Affected Products

Astra Linux

Linuxmint

Suse

Ubuntu

Hibernate-Core

PT-2020-6584 · Unknown+4 · Hibernate-Core+4

CVE-2020-25638

Weakness Enumeration

Related Identifiers

Affected Products

References · 90