CVE-2019-14900

moderate-risk

Published 2020-07-06

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

Do I need to act?

1.8% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (15)

Hibernate Orm

Build Of Quarkus

Decision Manager

Fuse

Jboss Data Grid

Jboss Enterprise Application Platform

Jboss Middleware Text-Only Advisories

Openstack

Single Sign-On

Quarkus

Jboss Enterprise Application Platform

Affected Vendors

Redhat Quarkus Hibernate

References (6)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1666499

https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9...

Third Party Advisory https://security.netapp.com/advisory/ntap-20220210-0020/

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1666499

https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9...

Third Party Advisory https://security.netapp.com/advisory/ntap-20220210-0020/

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 5/34 · Minimal

Exposure 18/34 · Moderate