Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-14900

Опубликовано: 12 мая 2020
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

A flaw was found in Hibernate ORM. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

Отчет

OpenDaylight: In RHOSP10, RHOSP13 and RHOSP14 editions of Red Hat OpenStack platform, the hibernate-jfa library shipped with OpenDaylight is contains a flaw in the processing of SQL queries. The hibernate-jha implemenation is not used in a vulnerable way in OpenDaylight, preventing the potential for SQL injection. Red Hat Satellite 6.2, 6.3 and 6.4 contains affected versions of hibernate-core in its candlepin component. However, that component does not use hibernate-core in a vulnerable way.

Меры по смягчению последствий

There is no currently known mitigation for this flaw.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6hibernate-coreOut of support scope
Red Hat Decision Manager 7hibernate-core-kie-server-ee7Will not fix
Red Hat JBoss BRMS 5hibernate-coreNot affected
Red Hat JBoss Data Grid 7hibernate-coreAffected
Red Hat JBoss Data Virtualization 6hibernate-coreOut of support scope
Red Hat JBoss Enterprise Application Platform 5hibernate-coreNot affected
Red Hat JBoss Enterprise Application Platform 6hibernate-coreNot affected
Red Hat JBoss Enterprise Web Server 2hibernate4Not affected
Red Hat JBoss Fuse 6hibernate-coreNot affected
Red Hat JBoss Fuse Service Works 6hibernate-coreNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-89
https://bugzilla.redhat.com/show_bug.cgi?id=1666499hibernate: SQL injection issue in Hibernate ORM

EPSS

Процентиль: 80%
0.01405
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2019-14900

CVSS3: 6.5
nvd
больше 5 лет назад

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

debian логотип

CVE-2019-14900

CVSS3: 6.5
debian
больше 5 лет назад

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 an ...

github логотип

GHSA-8grg-q944-cch5

CVSS3: 6.5
github
почти 4 года назад

SQL Injection in Hibernate ORM

EPSS

Процентиль: 80%
0.01405
Низкий

6.5 Medium

CVSS3