Описание
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Отчет
For Red Hat Process Automation Manager and Red Hat Decision Manager, the kie-server-ee7 zip is primarily for Weblogic/Websphere which is decided to stay on hibernate 5.1.x, it's not possible to make an upgrade to 5.3.x due to technical reasons. For this reason this fix is included only for kie-server-ee7. For this reason there are two components for RHPAM and RHDM.
Меры по смягчению последствий
Set hibernate.use_sql_comments to false, which is the default value, or use named parameters instead of literals. Please refer to details in https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#configurations-logging and https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#sql-query-parameters.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | hibernate-core | Not affected | ||
| Red Hat BPM Suite 6 | hibernate-core | Out of support scope | ||
| Red Hat CodeReady Studio 12 | hibernate-core | Affected | ||
| Red Hat Decision Manager 7 | hibernate-core-kie-server-ee7 | Will not fix | ||
| Red Hat Integration Camel K 1 | hibernate-core | Not affected | ||
| Red Hat JBoss BRMS 5 | hibernate-core | Out of support scope | ||
| Red Hat JBoss BRMS 6 | hibernate-core | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | hibernate-core | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 5 | hibernate-core | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | hibernate-core | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
A flaw was found in hibernate-core in versions prior to and including ...
Уязвимость интерфейса API JPA Criteria службы запросов Hibernate ORM, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность
EPSS
7.4 High
CVSS3