CVE-2020-25638 Potential for SQL injection on use_sql_comments logging enabled
This is a security fix relating to https://access.redhat.com/security/cve/CVE-2020-25638 .
The flaw has been present in Hibernate ORM since many years, so many older versions are affected.
An upgrade is recommended, but if you are using a very old version which makes it difficult to upgrade to the latest supported versions (series 5.4 and 5.3 at time of writing this), you can disable SQL comments by setting:
This also is the default, so if you didn’t set the use_sql_comments at all you are not affected.
Hibernate ORM correctly sanitises Query parameters and the SQL it performs, but when the option use_sql_comments it will also include a comment in the SQL which is sent to the relational database; the comment itself could possibly include escape sequences, modifying the semantics of the executed SQL statement.
good point, I’ll forward your suggestion to the security team. Thanks!
Could the CVE be updated to reflect the fact that it’s also fixed in 5.3.20? Right now only says the fix is in 5.4.24.