CVE-2019-14900
Summary
| CVE | CVE-2019-14900 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-07-06 19:15:00 UTC |
| Updated | 2023-11-07 03:05:00 UTC |
| Description | A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. |
Risk And Classification
Problem Types: CWE-89
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Hibernate | Hibernate Orm | All | All | All | All |
| Application | Hibernate | Hibernate Orm | All | All | All | All |
| Application | Quarkus | Quarkus | All | All | All | All |
| Application | Redhat | Build Of Quarkus | - | All | All | All |
| Application | Redhat | Decision Manager | 7.0 | All | All | All |
| Application | Redhat | Decision Manager | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 8.0 | All | All | All |
| Application | Redhat | Fuse | All | All | All | All |
| Application | Redhat | Fuse | 1.0 | All | All | All |
| Application | Redhat | Jboss Data Grid | 7.0.0 | All | All | All |
| Application | Redhat | Jboss Data Grid | 7.0.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | - | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.2 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.3 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.4 | All | All | All |
| Application | Redhat | Jboss Middleware Text-only Advisories | - | All | All | All |
| Application | Redhat | Openstack | 10 | All | All | All |
| Application | Redhat | Openstack | 13 | All | All | All |
| Application | Redhat | Openstack | 13.0 | All | All | All |
| Application | Redhat | Openstack | 14 | All | All | All |
| Application | Redhat | Openstack | 14.0 | All | All | All |
| Application | Redhat | Openstack | 10 | All | All | All |
| Application | Redhat | Openstack | 13.0 | All | All | All |
| Application | Redhat | Openstack | 14.0 | All | All | All |
| Application | Redhat | Single Sign-on | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [turbine-dev] 20211015 Fulcrum Security Hibernate Module | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| CVE-2019-14900 Hibernate ORM Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| 1666499 – (CVE-2019-14900) CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM | MISC | bugzilla.redhat.com | Issue Tracking, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.