Lucene search

[email protected]CVE-2020-25638

HistoryDec 02, 2020 - 3:15 p.m.

CVE-2020-25638

2020-12-0215:15:12

CWE-89

[email protected]

web.nvd.nist.gov

236

hibernate-core

sql injection

jpa criteria api

vulnerability

data confidentiality

data integrity

cve-2020-25638

nvd

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

7.6 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.1%

JSON

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

Affected configurations

Vulners

NVD

Node

hibernatehibernate_ormRange≤5.4.24

VendorProductVersionCPE
hibernatehibernate_orm*cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
hibernate	hibernate_orm	*	cpe:2.3:a:hibernate:hibernate_orm::::::::

CNA Affected

[
  {
    "product": "hibernate-core",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Hibernate ORM versions before 5.4.24.Final"
      }
    ]
  }
]