CVE-2020-25638

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*
cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

History

18 Oct 2021, 10:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E -

15 Oct 2021, 17:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E -
  • (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -

02 Jun 2021, 13:25

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
References (DEBIAN) https://www.debian.org/security/2021/dsa-4908 - (DEBIAN) https://www.debian.org/security/2021/dsa-4908 - Third Party Advisory

30 Apr 2021, 13:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2021/dsa-4908 -

15 Mar 2021, 17:05

Type Values Removed Values Added
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1881353 - Issue Tracking, Vendor Advisory (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1881353 - Issue Tracking, Third Party Advisory
CPE cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

16 Feb 2021, 17:29

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
References (MLIST) https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html - (MLIST) https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html - Mailing List, Third Party Advisory

04 Jan 2021, 01:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html -

Information

Published : 2020-12-02 15:15

Updated : 2021-10-18 10:15


NVD link : CVE-2020-25638

Mitre link : CVE-2020-25638


JSON object : View

Products Affected

hibernate

  • hibernate_orm

debian

  • debian_linux

quarkus

  • quarkus
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')