Home > Vulnerability Database > CVE-2020-25638

Mend.io Vulnerability Database

CVE-2020-25638

Good to know:

Date: December 2, 2020

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

Language: Java

Severity Score

7.4

Related Resources (16)

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-25638

Url: https://github.com/hibernate/hibernate-orm

Url: https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html

Url: https://github.com/hibernate/hibernate-orm/commit/d22bbb5c339c9df7712c3365bb1df97c91b35ec5

Url: https://bugzilla.redhat.com/show_bug.cgi?id=1881353

Url: https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E

Url: https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E

Url: https://www.debian.org/security/2021/dsa-4908

Url: https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E

Url: https://www.oracle.com/security-alerts/cpuapr2022.html

Url: https://www.oracle.com//security-alerts/cpujul2021.html

Url: https://github.com/hibernate/hibernate-orm/commit/36ebf7d3836e83e99f2a91777b5389e1daf1f2b7

Url: https://www.oracle.com/security-alerts/cpujul2022.html

Url: https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78

Url: https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E

Url: https://www.mend.io/vulnerability-database/CVE-2020-25638

Severity Score

7.4

Weakness Type (CWE)

SQL Injection

CWE-89

Top Fix

Upgrade Version

Upgrade to version org.hibernate:hibernate-core:5.3.20.Final,5.4.24.Final

Learn More

CVSS v3.1

Base Score:	7.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-25638

Good to know:

Date: December 2, 2020

Language: Java

Severity Score

Related Resources (16)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?