CVE-2020-25638

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*
cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*

History

25 Jul 2022, 18:15

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

10 May 2022, 15:46

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
References (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
First Time Oracle communications Cloud Native Core Console

20 Apr 2022, 00:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

01 Apr 2022, 15:41

Type Values Removed Values Added
First Time Oracle
Oracle retail Customer Management And Segmentation Foundation
CPE cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
References (MLIST) https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E - Mailing List, Patch, Third Party Advisory
References (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory

18 Oct 2021, 10:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E -

15 Oct 2021, 17:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E -
  • (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -

02 Jun 2021, 13:25

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
References (DEBIAN) https://www.debian.org/security/2021/dsa-4908 - (DEBIAN) https://www.debian.org/security/2021/dsa-4908 - Third Party Advisory

30 Apr 2021, 13:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2021/dsa-4908 -

15 Mar 2021, 17:05

Type Values Removed Values Added
CPE cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1881353 - Issue Tracking, Vendor Advisory (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1881353 - Issue Tracking, Third Party Advisory

16 Feb 2021, 17:29

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
References (MLIST) https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html - (MLIST) https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html - Mailing List, Third Party Advisory

04 Jan 2021, 01:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html -

Information

Published : 2020-12-02 15:15

Updated : 2022-07-25 18:15


NVD link : CVE-2020-25638

Mitre link : CVE-2020-25638


JSON object : View

Products Affected

quarkus

  • quarkus

oracle

  • retail_customer_management_and_segmentation_foundation
  • communications_cloud_native_core_console

hibernate

  • hibernate_orm

debian

  • debian_linux
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')