A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1881353 | Issue Tracking Third Party Advisory |
https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E | |
https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E | |
https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html | Mailing List Third Party Advisory |
https://www.debian.org/security/2021/dsa-4908 | Third Party Advisory |
https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
25 Jul 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 May 2022, 15:46
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:* |
20 Apr 2022, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Apr 2022, 15:41
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* | |
References | (MLIST) https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E - Mailing List, Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E - Mailing List, Third Party Advisory | |
References | (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory |
18 Oct 2021, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 Oct 2021, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Jun 2021, 13:25
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |
References | (DEBIAN) https://www.debian.org/security/2021/dsa-4908 - Third Party Advisory |
Information
Published : 2020-12-02 15:15
Updated : 2024-02-04 21:23
NVD link : CVE-2020-25638
Mitre link : CVE-2020-25638
CVE.ORG link : CVE-2020-25638
JSON object : View
Products Affected
debian
- debian_linux
quarkus
- quarkus
hibernate
- hibernate_orm
oracle
- retail_customer_management_and_segmentation_foundation
- communications_cloud_native_core_console
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')