A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1881353 | Issue Tracking Third Party Advisory |
https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E | |
https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E | |
https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html | Mailing List Third Party Advisory |
https://www.debian.org/security/2021/dsa-4908 | Third Party Advisory |
https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
07 Nov 2023, 03:20
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
06 Dec 2022, 21:33
Type | Values Removed | Values Added |
---|---|---|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory |
25 Jul 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 May 2022, 15:46
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:* | |
First Time |
Oracle communications Cloud Native Core Console
|
20 Apr 2022, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Apr 2022, 15:41
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E - Mailing List, Patch, Third Party Advisory | |
References | (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory | |
First Time |
Oracle
Oracle retail Customer Management And Segmentation Foundation |
|
CPE | cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* |
18 Oct 2021, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 Oct 2021, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Jun 2021, 13:25
Type | Values Removed | Values Added |
---|---|---|
References | (DEBIAN) https://www.debian.org/security/2021/dsa-4908 - Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
30 Apr 2021, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 Mar 2021, 17:05
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1881353 - Issue Tracking, Third Party Advisory | |
CPE | cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* |
16 Feb 2021, 17:29
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html - Mailing List, Third Party Advisory |
04 Jan 2021, 01:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2020-12-02 15:15
Updated : 2023-12-10 13:41
NVD link : CVE-2020-25638
Mitre link : CVE-2020-25638
CVE.ORG link : CVE-2020-25638
JSON object : View
Products Affected
hibernate
- hibernate_orm
oracle
- communications_cloud_native_core_console
- retail_customer_management_and_segmentation_foundation
debian
- debian_linux
quarkus
- quarkus
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')