hibernate-core is vulnerable to SQL injection. The vulnerability exists when both hibernate.use_sql_comments and JPQL String literals are used which allows an attacker to inject arbitrary sql queries.
access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/
access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
access.redhat.com/errata/RHSA-2020:5175
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=1881353
lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E
lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E
lists.debian.org/debian-lts-announce/2021/01/msg00000.html
www.debian.org/security/2021/dsa-4908
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujul2022.html