CVE-2019-14900 — SQL Injection in Hibernate ORM

Description

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

How to fix CVE-2019-14900

To remediate CVE-2019-14900, upgrade the affected package to a fixed version below.

—upgrade to 5.3.18 or later

Is CVE-2019-14900 being exploited?

Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.3.18

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-14900
PATCHgithub.com/hibernate/hibernate-orm
WEBbugzilla.redhat.com/show_bug.cgi?id=1666499
WEBgithub.com/hibernate/hibernate-orm/commit/3f3c1ab50604ab9ba99e25d2016fb85f3ba9dcd4