CVE-2020-25638 - SQL Injection

Abstract

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

The Oxygen XML products incorporate the hibernate-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

Mitigation

None

Detail

CVE-2020-25638

Severity: High

CVSS Score: 7.4

The hibernate-core third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2020-25638 vulnerability description. However, the Oxygen XML software products doesn't set hibernate.use_sql_comments to true. Therefore Oxygen XML software products are not impacted by CVE-2020-25638.

Starting with Oxygen Content Fusion version 4.1, the hibernate-core package was updated to version 5.4.24, which includes a fix for this vulnerability.