CVE-2020-25638 — HIGH (7.4)

Q: How severe is CVE-2020-25638?

CVE-2020-25638 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-25638?

Check the references section above for vendor advisories and patch information. Affected products include: Hibernate Hibernate Orm, Debian Debian Linux, Quarkus Quarkus, Oracle Communications Cloud Native Core Console, Oracle Retail Customer Management And Segmentation Foundation.

Vulnerability Description

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Hibernate	Hibernate Orm	< 5.3.20
Debian	Debian Linux	9.0
Quarkus	Quarkus	<= 1.9.2
Oracle	Communications Cloud Native Core Console	1.9.0
Oracle	Retail Customer Management And Segmentation Foundation	19.0

Related Weaknesses (CWE)

CWE-89

References

https://bugzilla.redhat.com/show_bug.cgi?id=1881353Issue TrackingThird Party Advisory
https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9
https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b853
https://lists.debian.org/debian-lts-announce/2021/01/msg00000.htmlMailing ListThird Party Advisory
https://www.debian.org/security/2021/dsa-4908Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1881353Issue TrackingThird Party Advisory
https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9
https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b853
https://lists.debian.org/debian-lts-announce/2021/01/msg00000.htmlMailing ListThird Party Advisory
https://www.debian.org/security/2021/dsa-4908Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2020-25638?

CVE-2020-25638 is a vulnerability with a CVSS score of 7.4 (HIGH). A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used...

How severe is CVE-2020-25638?

CVE-2020-25638 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-25638?

Check the references section above for vendor advisories and patch information. Affected products include: Hibernate Hibernate Orm, Debian Debian Linux, Quarkus Quarkus, Oracle Communications Cloud Native Core Console, Oracle Retail Customer Management And Segmentation Foundation.