CVE-2019-14900

MEDIUM

Redhat Openstack < 5.3.18 - SQL Injection

Title source: rule

Description

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

Exploits (1)

nomisec STUB

by shanika04 · poc

https://github.com/shanika04/hibernate-orm

View Code ZIP pw:eip

References (3)

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1666499

[Mailing List] https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220210-0020/

Scores

CVSS v3 6.5

EPSS 0.0181

EPSS Percentile 82.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-89

Status published

Products (16)

hibernate/hibernate_orm < 5.3.18

org.hibernate/hibernate-core 0 - 5.3.18Maven

quarkus/quarkus < 1.5.2

redhat/build_of_quarkus

redhat/decision_manager 7.0

redhat/fuse < 7.8.0

redhat/jboss_data_grid 7.0.0

redhat/jboss_enterprise_application_platform

redhat/jboss_enterprise_application_platform 7.3

redhat/jboss_enterprise_application_platform 7.4

... and 6 more

Published Jul 06, 2020

Tracked Since Feb 18, 2026