CVE-2024-39677

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-39677
NHibernate is an object-relational mapper for the .NET framework. A SQL injection vulnerability exists in some types implementing ILiteralType.ObjectToSQLString. Callers of these methods are exposed to the vulnerability, which includes mappings using inheritance with discriminator values; HQL queries referencing a static field of the application; users of the SqlInsertBuilder and SqlUpdateBuilder utilities, calling their AddColumn overload taking a literal value; and any direct use of the ObjectToSQLString methods for building SQL queries on the user side. This vulnerability is fixed in 5.4.9 and 5.5.2.

5.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/nhibernate/nhibernate-core/commit/b4a69d1a5ff5744312478d70308329af496e4ba9 Patch
https://github.com/nhibernate/nhibernate-core/issues/3516 Issue Tracking
https://github.com/nhibernate/nhibernate-core/pull/3517 Issue Tracking
https://github.com/nhibernate/nhibernate-core/pull/3547 Issue Tracking Patch
https://github.com/nhibernate/nhibernate-core/security/advisories/GHSA-fg4q-ccq8-3r5q Vendor Advisory
https://github.com/nhibernate/nhibernate-core/commit/b4a69d1a5ff5744312478d70308329af496e4ba9 Patch
https://github.com/nhibernate/nhibernate-core/issues/3516 Issue Tracking
https://github.com/nhibernate/nhibernate-core/pull/3517 Issue Tracking
https://github.com/nhibernate/nhibernate-core/pull/3547 Issue Tracking Patch
https://github.com/nhibernate/nhibernate-core/security/advisories/GHSA-fg4q-ccq8-3r5q Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nhibernate:nhibernate-core:*:*:*:*:*:*:*:*
cpe:2.3:a:nhibernate:nhibernate-core:*:*:*:*:*:*:*:*
History

21 Nov 2024, 09:28

Type Values Removed Values Added
References () https://github.com/nhibernate/nhibernate-core/commit/b4a69d1a5ff5744312478d70308329af496e4ba9 - Patch () https://github.com/nhibernate/nhibernate-core/commit/b4a69d1a5ff5744312478d70308329af496e4ba9 - Patch
References () https://github.com/nhibernate/nhibernate-core/issues/3516 - Issue Tracking () https://github.com/nhibernate/nhibernate-core/issues/3516 - Issue Tracking
References () https://github.com/nhibernate/nhibernate-core/pull/3517 - Issue Tracking () https://github.com/nhibernate/nhibernate-core/pull/3517 - Issue Tracking
References () https://github.com/nhibernate/nhibernate-core/pull/3547 - Issue Tracking, Patch () https://github.com/nhibernate/nhibernate-core/pull/3547 - Issue Tracking, Patch
References () https://github.com/nhibernate/nhibernate-core/security/advisories/GHSA-fg4q-ccq8-3r5q - Vendor Advisory () https://github.com/nhibernate/nhibernate-core/security/advisories/GHSA-fg4q-ccq8-3r5q - Vendor Advisory
CVSS v2 : unknown
v3 : 9.8 		v2 : unknown
v3 : 5.9

29 Aug 2024, 17:29

Type Values Removed Values Added
First Time Nhibernate nhibernate-core
Nhibernate
CVSS v2 : unknown
v3 : 5.9 		v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:nhibernate:nhibernate-core:*:*:*:*:*:*:*:*
References () https://github.com/nhibernate/nhibernate-core/commit/b4a69d1a5ff5744312478d70308329af496e4ba9 - () https://github.com/nhibernate/nhibernate-core/commit/b4a69d1a5ff5744312478d70308329af496e4ba9 - Patch
References () https://github.com/nhibernate/nhibernate-core/issues/3516 - () https://github.com/nhibernate/nhibernate-core/issues/3516 - Issue Tracking
References () https://github.com/nhibernate/nhibernate-core/pull/3517 - () https://github.com/nhibernate/nhibernate-core/pull/3517 - Issue Tracking
References () https://github.com/nhibernate/nhibernate-core/pull/3547 - () https://github.com/nhibernate/nhibernate-core/pull/3547 - Issue Tracking, Patch
References () https://github.com/nhibernate/nhibernate-core/security/advisories/GHSA-fg4q-ccq8-3r5q - () https://github.com/nhibernate/nhibernate-core/security/advisories/GHSA-fg4q-ccq8-3r5q - Vendor Advisory
Summary
  • (es) NHibernate es un mapeador relacional de objetos para el framework .NET. Existe una vulnerabilidad de inyección SQL en algunos tipos que implementan ILiteralType.ObjectToSQLString. Quienes llaman a estos métodos están expuestos a la vulnerabilidad, que incluye asignaciones que utilizan herencia con valores discriminadores; Consultas HQL que hacen referencia a un campo estático de la aplicación; usuarios de las utilidades SqlInsertBuilder y SqlUpdateBuilder, llamando a su sobrecarga AddColumn tomando un valor literal; y cualquier uso directo de los métodos ObjectToSQLString para crear consultas SQL en el lado del usuario. Esta vulnerabilidad se solucionó en 5.4.9 y 5.5.2.

08 Jul 2024, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-07-08 15:15

Updated : 2024-11-21 09:28

NVD link : CVE-2024-39677

Mitre link : CVE-2024-39677

CVE.ORG link : CVE-2024-39677

JSON object : View

Products Affected

nhibernate

  • nhibernate-core
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')