CVE-2020-25638

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*
cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*

History

25 Jul 2022, 18:15

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

10 May 2022, 15:46

Type Values Removed Values Added
References (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
CPE cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*

20 Apr 2022, 00:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

01 Apr 2022, 15:41

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
References (MLIST) https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E - Mailing List, Patch, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E - Mailing List, Third Party Advisory
References (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory

18 Oct 2021, 10:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E -

15 Oct 2021, 17:15

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -
  • (MLIST) https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E -

02 Jun 2021, 13:25

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
References (DEBIAN) https://www.debian.org/security/2021/dsa-4908 - (DEBIAN) https://www.debian.org/security/2021/dsa-4908 - Third Party Advisory

Information

Published : 2020-12-02 15:15

Updated : 2024-02-04 21:23


NVD link : CVE-2020-25638

Mitre link : CVE-2020-25638

CVE.ORG link : CVE-2020-25638


JSON object : View

Products Affected

debian

  • debian_linux

quarkus

  • quarkus

hibernate

  • hibernate_orm

oracle

  • retail_customer_management_and_segmentation_foundation
  • communications_cloud_native_core_console
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')