CVE-2020-25638
moderate-risk
Published 2020-12-02
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Do I need to act?
-
0.84% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.4/10
High
NETWORK
/ HIGH complexity
Affected Products (6)
References (16)
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1881353
Third Party Advisory
https://www.debian.org/security/2021/dsa-4908
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1881353
Third Party Advisory
https://www.debian.org/security/2021/dsa-4908
38
/ 100
moderate-risk
Severity
22/34 · High
Exploitability
3/34 · Minimal
Exposure
13/34 · Low