{"containers": {"cna": {"affected": [{"product": "hibernate-core", "vendor": "n/a", "versions": [{"status": "affected", "version": "Hibernate ORM versions before 5.4.24.Final"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:15:21", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881353"}, {"name": "[debian-lts-announce] 20210103 [SECURITY] [DLA 2512-1] libhibernate3-java security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html"}, {"name": "DSA-4908", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4908"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "[turbine-dev] 20211015 Fulcrum Security Hibernate Module", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E"}, {"name": "[turbine-commits] 20211018 [turbine-fulcrum-security] 02/02: disable module hibernate (JIRA issue TRB-103), update docs, remove suppression", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-25638", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "hibernate-core", "version": {"version_data": [{"version_value": "Hibernate ORM versions before 5.4.24.Final"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1881353", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881353"}, {"name": "[debian-lts-announce] 20210103 [SECURITY] [DLA 2512-1] libhibernate3-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html"}, {"name": "DSA-4908", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4908"}, {"name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "[turbine-dev] 20211015 Fulcrum Security Hibernate Module", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E"}, {"name": "[turbine-commits] 20211018 [turbine-fulcrum-security] 02/02: disable module hibernate (JIRA issue TRB-103), update docs, remove suppression", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:40:35.438Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881353"}, {"name": "[debian-lts-announce] 20210103 [SECURITY] [DLA 2512-1] libhibernate3-java security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html"}, {"name": "DSA-4908", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4908"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "[turbine-dev] 20211015 Fulcrum Security Hibernate Module", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E"}, {"name": "[turbine-commits] 20211018 [turbine-fulcrum-security] 02/02: disable module hibernate (JIRA issue TRB-103), update docs, remove suppression", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-25638", "datePublished": "2020-12-02T14:36:24", "dateReserved": "2020-09-16T00:00:00", "dateUpdated": "2024-08-04T15:40:35.438Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD3F836E-0018-4430-9FDD-235EA0F03F8D", "versionEndExcluding": "5.3.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*", "matchCriteriaId": "355B45AF-42E0-4D63-969F-96FFEF16103B", "versionEndExcluding": "5.4.24", "versionStartIncluding": "5.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "1809D7D8-574D-4524-90A6-4C0B163E5630", "versionEndIncluding": "1.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DAAB7154-4DE8-4806-86D0-C1D33B84417B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFAEA84-E376-40A2-8C9F-3E0676FEC527", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en hibernate-core en versiones anteriores a 5.4.23.Final incluy\u00e9ndola. Una inyecci\u00f3n SQL en la implementaci\u00f3n de la API de criterios de JPA puede permitir literales no saneados cuando es usado un literal en los comentarios de SQL de la consulta. Este fallo podr\u00eda permitir a un atacante acceder a informaci\u00f3n no autorizada o posiblemente conducir m\u00e1s ataques. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos"}], "id": "CVE-2020-25638", "lastModified": "2023-11-07T03:20:18.093", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-02T15:15:12.377", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881353"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4908"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2020:5174", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3", "package": "hibernate-core", "product_name": "EAP 7.3.3", "release_date": "2020-11-23T00:00:00Z"}, {"advisory": "RHSA-2020:5302", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "hibernate-core", "product_name": "Red Hat build of Quarkus 1.7.5 SP1", "release_date": "2020-12-01T00:00:00Z"}, {"advisory": "RHSA-2021:3140", "cpe": "cpe:/a:redhat:jboss_fuse:7", "impact": "moderate", "package": "hibernate-core", "product_name": "Red Hat Fuse 7.9", "release_date": "2021-08-11T00:00:00Z"}, {"advisory": "RHSA-2021:2039", "cpe": "cpe:/a:redhat:integration:1", "impact": "low", "package": "hibernate-core", "product_name": "Red Hat Integration", "release_date": "2021-05-19T00:00:00Z"}, {"advisory": "RHSA-2020:5344", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3", "package": "hibernate-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1.0", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5175", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-hibernate-0:5.3.18-2.Final_redhat_00002.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-11-23T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-activemq-artemis-0:2.9.0-6.redhat_00016.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-fge-btf-0:1.2.0-1.redhat_00007.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-fge-msg-simple-0:1.1.0-1.redhat_00007.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-hal-console-0:3.2.11-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-hibernate-validator-0:6.0.21-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jackson-annotations-0:2.10.4-1.redhat_00002.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jackson-core-0:2.10.4-1.redhat_00002.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jackson-coreutils-0:1.6.0-1.redhat_00006.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jackson-jaxrs-providers-0:2.10.4-1.redhat_00002.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jackson-modules-base-0:2.10.4-3.redhat_00002.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jackson-modules-java8-0:2.10.4-1.redhat_00002.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jasypt-0:1.9.3-1.redhat_00002.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jboss-marshalling-0:2.0.10-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jboss-remoting-0:5.0.19-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jboss-server-migration-0:1.7.2-3.Final_redhat_00004.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jboss-xnio-base-0:3.7.11-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-undertow-0:2.0.32-1.SP1_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-wildfly-0:7.3.4-3.GA_redhat_00003.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-wildfly-elytron-0:1.10.9-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5340", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5175", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-hibernate-0:5.3.18-2.Final_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-11-23T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-activemq-artemis-0:2.9.0-6.redhat_00016.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-fge-btf-0:1.2.0-1.redhat_00007.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-fge-msg-simple-0:1.1.0-1.redhat_00007.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-hal-console-0:3.2.11-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-hibernate-validator-0:6.0.21-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jackson-annotations-0:2.10.4-1.redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jackson-core-0:2.10.4-1.redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jackson-coreutils-0:1.6.0-1.redhat_00006.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jackson-jaxrs-providers-0:2.10.4-1.redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jackson-modules-base-0:2.10.4-3.redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jackson-modules-java8-0:2.10.4-1.redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jasypt-0:1.9.3-1.redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jboss-marshalling-0:2.0.10-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jboss-remoting-0:5.0.19-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jboss-server-migration-0:1.7.2-3.Final_redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jboss-xnio-base-0:3.7.11-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-undertow-0:2.0.32-1.SP1_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-wildfly-0:7.3.4-3.GA_redhat_00003.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-wildfly-elytron-0:1.10.9-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5341", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5175", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-hibernate-0:5.3.18-2.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-11-23T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-activemq-artemis-0:2.9.0-6.redhat_00016.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-fge-btf-0:1.2.0-1.redhat_00007.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-fge-msg-simple-0:1.1.0-1.redhat_00007.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-hal-console-0:3.2.11-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-hibernate-validator-0:6.0.21-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jackson-annotations-0:2.10.4-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jackson-core-0:2.10.4-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jackson-coreutils-0:1.6.0-1.redhat_00006.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jackson-jaxrs-providers-0:2.10.4-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jackson-modules-base-0:2.10.4-3.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jackson-modules-java8-0:2.10.4-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jasypt-0:1.9.3-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jboss-marshalling-0:2.0.10-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jboss-remoting-0:5.0.19-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jboss-server-migration-0:1.7.2-3.Final_redhat_00004.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jboss-xnio-base-0:3.7.11-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-undertow-0:2.0.32-1.SP1_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-wildfly-0:7.3.4-3.GA_redhat_00003.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-wildfly-elytron-0:1.10.9-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5342", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2021:2562", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5", "impact": "low", "package": "hibernate-core", "product_name": "Red Hat JBoss Web Server 5", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2021:2561", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "impact": "low", "package": "jws5-ecj-0:4.12.0-3.redhat_2.2.el7jws", "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2021:2561", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "impact": "low", "package": "jws5-mod_cluster-0:1.4.3-2.Final_redhat_00002.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2021:2561", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "impact": "low", "package": "jws5-tomcat-0:9.0.43-11.redhat_00011.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2021:2561", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "impact": "low", "package": "jws5-tomcat-native-0:1.2.26-3.redhat_3.el7jws", "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2021:2561", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "impact": "low", "package": "jws5-tomcat-vault-0:1.1.8-2.Final_redhat_00003.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2021:2561", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "impact": "low", "package": "jws5-ecj-0:4.12.0-3.redhat_2.2.el8jws", "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2021:2561", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "impact": "low", "package": "jws5-mod_cluster-0:1.4.3-2.Final_redhat_00002.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2021:2561", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "impact": "low", "package": "jws5-tomcat-0:9.0.43-11.redhat_00011.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2021:2561", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "impact": "low", "package": "jws5-tomcat-native-0:1.2.26-3.redhat_3.el8jws", "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2021:2561", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "impact": "low", "package": "jws5-tomcat-vault-0:1.1.8-2.Final_redhat_00003.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2020:5254", "cpe": "cpe:/a:redhat:jboss_single_sign_on:7.4", "package": "hibernate-core", "product_name": "Red Hat Single Sign-On 7.4.3 one-off", "release_date": "2020-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:0292", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "hibernate-core", "product_name": "Red Hat support for Spring Boot 2.3.6", "release_date": "2021-02-02T00:00:00Z"}, {"advisory": "RHSA-2021:0603", "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7.10", "package": "hibernate-core-kie-server-ee8", "product_name": "RHDM 7.10.0", "release_date": "2021-02-17T00:00:00Z"}, {"advisory": "RHSA-2021:0600", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.10", "package": "hibernate-core-kie-server-ee8", "product_name": "RHPAM 7.10.0", "release_date": "2021-02-17T00:00:00Z"}, {"advisory": "RHSA-2020:5361", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "product_name": "Text-Only RHOAR", "release_date": "2020-12-16T00:00:00Z"}, {"advisory": "RHSA-2020:5388", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "hibernate-core", "product_name": "Text-Only RHOAR", "release_date": "2021-01-07T00:00:00Z"}, {"advisory": "RHSA-2020:5533", "cpe": "cpe:/a:redhat:red_hat_single_sign_on", "package": "hibernate-core", "product_name": "Text-Only RHSSO", "release_date": "2020-12-15T00:00:00Z"}], "bugzilla": {"description": "hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used", "id": "1881353", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881353"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-89", "details": ["A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", "A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity."], "mitigation": {"lang": "en:us", "value": "Set hibernate.use_sql_comments to false, which is the default value, or use named parameters instead of literals. Please refer to details in https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#configurations-logging and https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#sql-query-parameters."}, "name": "CVE-2020-25638", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "hibernate-core", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Out of support scope", "package_name": "hibernate-core", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Will not fix", "package_name": "hibernate-core-kie-server-ee7", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "impact": "low", "package_name": "hibernate-core", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Out of support scope", "package_name": "hibernate-core", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Out of support scope", "package_name": "hibernate-core", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "hibernate-core", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Out of support scope", "package_name": "hibernate-core", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "hibernate-core", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "hibernate-core", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "hibernate-core", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Out of support scope", "package_name": "hibernate-core", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Out of support scope", "package_name": "hibernate-core", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "impact": "moderate", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "hibernate-core-kie-server-ee7", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2020-10-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-25638\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-25638"], "statement": "For Red Hat Process Automation Manager and Red Hat Decision Manager, the kie-server-ee7 zip is primarily for Weblogic/Websphere which is decided to stay on hibernate 5.1.x, it's not possible to make an upgrade to 5.3.x due to technical reasons. For this reason this fix is included only for kie-server-ee7. For this reason there are two components for RHPAM and RHDM.", "threat_severity": "Important", "upstream_fix": "Hibernate ORM 5.4.24.Final"}