PT-2020-9626 · Unknown+1 · Hibernate Orm+1

Published

2020-07-06

Updated

2022-04-29

CVE-2019-14900

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Hibernate ORM versions prior to 5.3.18 Hibernate ORM versions prior to 5.4.18 Hibernate ORM versions prior to 5.5.0.Beta1

Description A flaw was found in the implementation of the JPA Criteria API, permitting unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This could allow an attacker to access unauthorized information or possibly conduct further attacks.

Recommendations For versions prior to 5.3.18, update to version 5.3.18 or later. For versions prior to 5.4.18, update to version 5.4.18 or later. For versions prior to 5.5.0.Beta1, update to version 5.5.0.Beta1 or later.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2019-14900

GHSA-8GRG-Q944-CCH5

OESA-2021-1135

OESA-2021-1136

OESA-2021-1137

RHSA-2020:3461

RHSA-2020:3462

RHSA-2020:3463

RHSA-2020:3637

RHSA-2020:3638

RHSA-2020:3639

SUSE-SU-2020:2650-1

SUSE-SU-2020:2832-1

Affected Products

Hibernate Orm

Suse

PT-2020-9626 · Unknown+1 · Hibernate Orm+1

CVE-2019-14900

Weakness Enumeration

Related Identifiers

Affected Products

References · 75