cvelistv5 - CVE-2019-14900

CVE-2019-14900 (GCVE-0-2019-14900)

Vulnerability from cvelistv5

Published

2020-07-06 18:35

Modified

2024-08-05 00:26

Severity ?

CWE

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Summary

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

References

URL

	Vendor	Product	Version
	n/a	Hibernate	Version: Versions before Hibernate ORM 5.3.18 Version: Versions before Hibernate ORM 5.4.18 Version: Versions before Hibernate ORM 5.5.0.Beta1

RHSA-2020:3638

Vulnerability from csaf_redhat

Published

2020-09-07 12:58

Modified

2025-11-08 05:28

Summary

Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 7 security update

Notes

Topic

An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

This release of Red Hat JBoss Enterprise Application Platform 7.2.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547) * jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840) * jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673) * jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546) * undertow: EAP: field-name is not parsed in accordance to RFC7230 (CVE-2020-1710) * wildfly-undertow: Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests (CVE-2020-10687) * jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950) * resteasy-jaxrs: resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695) * wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714) * dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683) * wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748) * hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693) * hibernate-core: hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900) * wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API (CVE-2020-10718) • wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740) * jboss-ejb-client: wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service (CVE-2020-14307) * jboss-ejb-client: wildfly: Some EJB transaction objects may get accumulated causing Denial of Service (CVE-2020-14297) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

URL	Tags
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=1666499	Issue Tracking, Third Party Advisory
secalert@redhat.com	https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E
secalert@redhat.com	https://security.netapp.com/advisory/ntap-20220210-0020/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1666499	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20220210-0020/	Third Party Advisory

Vendor	Product	Version
hibernate	hibernate_orm	*
hibernate	hibernate_orm	*
redhat	build_of_quarkus	-
redhat	decision_manager	7.0
redhat	fuse	*
redhat	jboss_data_grid	7.0.0
redhat	jboss_enterprise_application_platform	-
redhat	jboss_middleware_text-only_advisories	-
redhat	openstack	10
redhat	openstack	13
redhat	openstack	14
redhat	single_sign-on	-
quarkus	quarkus	*
redhat	jboss_enterprise_application_platform	7.3
redhat	jboss_enterprise_application_platform	7.4
redhat	enterprise_linux	8.0
redhat	jboss_enterprise_application_platform	7.3
redhat	jboss_enterprise_application_platform	7.4
redhat	enterprise_linux	7.0
redhat	jboss_enterprise_application_platform	7.3
redhat	enterprise_linux	6.0
redhat	jboss_enterprise_application_platform	7.2
redhat	enterprise_linux	8.0
redhat	jboss_enterprise_application_platform	7.2
redhat	enterprise_linux	7.0
redhat	jboss_enterprise_application_platform	7.2
redhat	enterprise_linux	6.0

Action not permitted

CVE-2019-14900 (GCVE-0-2019-14900)

Vulnerability from cvelistv5

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from cnvd

Vulnerability from fkie_nvd

Vulnerability from csaf_suse

Vulnerability from csaf_suse

Vulnerability from github

Vulnerability from gsd

Tags

Sightings

Nomenclature