1. Home
  2. CVE Database
  3. CVE-2019-14900
MEDIUM · 6.5

CVE-2019-14900

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is use...

Vulnerability Description

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE

Affected Products

VendorProductVersions
HibernateHibernate Orm< 5.3.18
RedhatBuild Of Quarkus-
RedhatDecision Manager7.0
RedhatFuse< 7.8.0
RedhatJboss Data Grid7.0.0
RedhatJboss Enterprise Application Platform-
RedhatJboss Middleware Text-Only Advisories-
RedhatOpenstack10
RedhatSingle Sign-On-
QuarkusQuarkus<= 1.5.2
RedhatEnterprise Linux8.0

Related Weaknesses (CWE)

CWE-89

References

FAQ

What is CVE-2019-14900?

CVE-2019-14900 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is use...

How severe is CVE-2019-14900?

CVE-2019-14900 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-14900?

Check the references section above for vendor advisories and patch information. Affected products include: Hibernate Hibernate Orm, Redhat Build Of Quarkus, Redhat Decision Manager, Redhat Fuse, Redhat Jboss Data Grid.