Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

CVE-2020-25638 Potential for SQL injection on use_sql_comments logging enabled

Description

This is a security fix relating to https://access.redhat.com/security/cve/CVE-2020-25638 .

The flaw has been present in Hibernate ORM since many years, so many older versions are affected.

An upgrade is recommended, but if you are using a very old version which makes it difficult to upgrade to the latest supported versions (series 5.4 and 5.3 at time of writing this), you can disable SQL comments by setting:

hibernate.use_sql_comments=false

This also is the default, so if you didn’t set the use_sql_comments at all you are not affected.

The problem

Hibernate ORM correctly sanitises Query parameters and the SQL it performs, but when the option use_sql_comments it will also include a comment in the SQL which is sent to the relational database; the comment itself could possibly include escape sequences, modifying the semantics of the executed SQL statement.

Activity

Show:

Sanne Grinovero February 16, 2021 at 10:14 AM

good point, I’ll forward your suggestion to the security team. Thanks!

Colm O hEigeartaigh February 16, 2021 at 8:33 AM

Could the CVE be updated to reflect the fact that it’s also fixed in 5.3.20? Right now only says the fix is in 5.4.24.

Fixed

Details

Assignee

Reporter

Fix versions

Priority

Created September 24, 2020 at 9:55 AM
Updated January 16, 2024 at 3:12 PM
Resolved November 13, 2020 at 4:39 PM