CVE-2020-25638 - SQL Injection

Severity: Low2021-12-08

Security Advisories

Abstract

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

The Oxygen XML products incorporate the hibernate-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion 4.1 and olderLow Oxygen Content Fusion 4.1.2 build 2021112414

Mitigation

None

Detail

CVE-2020-25638

Severity: High

CVSS Score: 7.4

The hibernate-core third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-25638 vulnerability description. However, the Oxygen XML software products doesn't set hibernate.use_sql_comments to true. Therefore Oxygen XML software products are not impacted by CVE-2020-25638.

Starting with Oxygen Content Fusion version 4.1, the hibernate-core package was updated to version 5.4.24, which includes a fix for this vulnerability.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Oxygen AI Positron: Your Helper in All Stages of Content Creation
May 8, 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor