{"id":"CVE-2020-25638","details":"A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.","aliases":["GHSA-j8jw-g6fq-mp7h"],"modified":"2026-05-18T05:52:27.892293625Z","published":"2020-12-02T15:15:12.377Z","related":["SUSE-SU-2022:0225-1","SUSE-SU-2022:0593-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"vendor_product":"debian:debian_linux","extracted_events":[{"last_affected":"9.0"},{"last_affected":"10.0"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_console","extracted_events":[{"last_affected":"1.9.0"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:retail_customer_management_and_segmentation_foundation","extracted_events":[{"last_affected":"19.0"}]}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4908"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1881353"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hibernate/hibernate-orm","events":[{"introduced":"0"},{"fixed":"64be512b7d8e54ff8d2b9f917bc4c03c6f7bd26b"},{"introduced":"7759404259a8715927485fa1bc051da1f0dc9d9b"},{"fixed":"0b5d3a2acc9e0fa0a83fa69a1a0146b5a6eda61b"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"5.3.20"},{"introduced":"5.4.0"},{"fixed":"5.4.24"}],"cpe":"cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*"}}],"versions":["5.3.19","5.4.23","5.4.22","5.4.21","5.4.20","5.3.18","5.4.19","5.4.18","5.4.17","5.4.16","5.4.15","5.3.17","5.4.14","5.3.16","5.4.13","5.4.12","5.4.11","5.3.15","5.4.10","5.4.9","5.3.14","5.4.8","5.4.7","5.3.13","5.4.6","5.4.5","5.3.12","5.3.11","5.4.4","5.4.3","5.3.10","5.4.2","5.3.9","5.3.8","5.4.1","5.4.0","5.3.7","5.3.6","5.3.5","5.3.4","5.3.3","5.3.2","5.3.1","5.3.0.Final","5.3.0.CR2","5.3.0.Beta2","5.3.0.Beta1","5.2.12","5.2.11","5.2.10","5.2.9","5.2.8","5.2.7","5.2.6","5.2.5","5.2.4","5.2.3","5.2.2","5.2.1","5.2.0","5.1.0","5.0.0.Final","5.0.0.CR4","5.0.0.CR3","5.0.0.CR2","5.0.0.CR1","5.0.0.Beta2","5.0.0.Beta1","4.3.6.Final","4.3.5.Final","4.3.4.Final","4.3.3.Final","4.3.2.Final","4.3.1.Final","4.3.0.CR2","4.3.0.CR1","4.3.0.Beta5","4.3.0.Beta4","4.3.0.Beta3","4.3.0.Beta2","4.3.0.Beta1","4.1.5.SP1","4.1.5.Final","4.1.4.Final","4.1.3.Final","4.1.2.Final","4.1.2","4.1.1","4.1.0.Final","4.0.1","4.0.0.Final","4.0.0.CR7","4.0.0.CR6","4.0.0.CR5","4.0.0.CR4","4.0.0.CR3","4.0.0.CR2","4.0.0.CR1","4.0.0.Beta5","4.0.0.Beta4","4.0.0.Beta3","4.0.0.Beta2","4.0.0.Beta1","4.0.0.Alpha2","4.0.0.Alpha1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-25638.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"last_affected":"8dfdb5700ae66f7787d86c2ad5bca194b8dfb64f"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.9.2"}],"cpe":"cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*"}}],"versions":["1.9.2.Final"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-25638.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}