CVE-2024-39677

Name of the Vulnerable Software and Affected Versions NHibernate versions prior to 5.4.9 NHibernate versions prior to 5.5.2

Description A SQL injection vulnerability exists in some types implementing ILiteralType.ObjectToSQLString. This vulnerability affects callers of these methods, including mappings using inheritance with discriminator values, HQL queries referencing a static field of the application, users of the SqlInsertBuilder and SqlUpdateBuilder utilities, and any direct use of the ObjectToSQLString methods for building SQL queries on the user side.

Recommendations For NHibernate versions prior to 5.4.9, update to version 5.4.9 or later to resolve the issue. For NHibernate versions prior to 5.5.2, update to version 5.5.2 or later to resolve the issue. As a temporary workaround, ensure the application does not use the features listed above, such as mappings using inheritance with discriminator values and HQL queries referencing a static field of the application. For discriminator usages, ensure the discriminator values in the mappings do not contain quotes for string discriminators, and ensure the used values cannot allow culture exploits. Consider restricting the use of the SqlInsertBuilder and SqlUpdateBuilder utilities until the issue is resolved.