1. Home
  2. CWE Database
  3. CWE-564
Variant · Low-Medium

CWE-564: SQL Injection: Hibernate

Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

CWE-564 · Variant Level ·5 Mitigations

Description

Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

Potential Impact

Confidentiality, Integrity

Read Application Data, Modify Application Data

Demonstrative Examples

The following code excerpt uses Hibernate's HQL syntax to build a dynamic query that's vulnerable to SQL injection.
Bad
String street = getStreetFromUser();Query query = session.createQuery("from Address a where a.street='" + street + "'");

Mitigations & Prevention

Requirements

A non-SQL style database which is not subject to this flaw may be chosen.

Architecture and Design

Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data.

Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Implementation

Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack.

Implementation

Use vigorous allowlist style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but i...

Taxonomy Mappings

  • Software Fault Patterns: SFP24 — Tainted input to command

Frequently Asked Questions

What is CWE-564?

CWE-564 (SQL Injection: Hibernate) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

How can CWE-564 be exploited?

Attackers can exploit CWE-564 (SQL Injection: Hibernate) to read application data, modify application data. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-564?

Key mitigations include: A non-SQL style database which is not subject to this flaw may be chosen.

What is the severity of CWE-564?

CWE-564 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.