CVE-2019-14900

EPSS 1.22%
Veröffentlicht 06.07.2020 19:15:12
Zuletzt bearbeitet 21.11.2024 04:27:38
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hibernate ≫ Hibernate Orm Version < 5.3.18

Hibernate ≫ Hibernate Orm Version >= 5.4.0 < 5.4.18

Redhat ≫ Build Of Quarkus Version- SwEditiontext-only

Redhat ≫ Decision Manager Version7.0

Redhat ≫ Fuse Version < 7.8.0

Redhat ≫ Jboss Data Grid Version7.0.0

Redhat ≫ Jboss Enterprise Application Platform Version- SwEditiontext-only

Redhat ≫ Jboss Middleware Text-only Advisories Version-

Redhat ≫ Openstack Version10

Redhat ≫ Openstack Version13

Redhat ≫ Openstack Version14

Redhat ≫ Single Sign-on Version- SwEditiontext-only

Quarkus ≫ Quarkus Version <= 1.5.2

Redhat ≫ Jboss Enterprise Application Platform Version7.3

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Jboss Enterprise Application Platform Version7.4

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Jboss Enterprise Application Platform Version7.3

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.4

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.3

Redhat ≫ Enterprise Linux Version6.0

Redhat ≫ Jboss Enterprise Application Platform Version7.2

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Jboss Enterprise Application Platform Version7.2

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.2

Redhat ≫ Enterprise Linux Version6.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.22%	0.782

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://bugzilla.redhat.com/show_bug.cgi?id=1666499

Third Party Advisory

Issue Tracking

https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E

https://security.netapp.com/advisory/ntap-20220210-0020/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-14900

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-14900

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-14900

EUVD