SQL Injection Vulnerability in NHibernate Affects Inheritance and HQL Queries
CVE-2024-39677

9.8CRITICAL

Key Information:

Vendor
Nhibernate
Status
Nhibernate-core
Vendor
CVE Published:
8 July 2024

Summary

A SQL injection vulnerability exists in NHibernate, an object-relational mapper for the .NET framework. This flaw affects implementations of ILiteralType.ObjectToSQLString, where improper handling of inputs can lead to unintended SQL query execution. Vulnerable scenarios include those using inheritance with discriminator values, HQL queries that reference static application fields, and usage of SqlInsertBuilder and SqlUpdateBuilder utilities that improperly accept literal values. Direct calls to ObjectToSQLString methods for building SQL queries on the user side are also susceptible. A resolution for this vulnerability has been incorporated in NHibernate versions 5.4.9 and 5.5.2.

Affected Version(s)

nhibernate-core < 5.4.9 < 5.4.9

nhibernate-core >= 5.5.0, < 5.5.2 < 5.5.0, 5.5.2

References

https://github.com/nhibernate/nhibernate-core/security/ad...
x_refsource_CONFIRM
https://github.com/nhibernate/nhibernate-core/issues/3516
x_refsource_MISC
https://github.com/nhibernate/nhibernate-core/pull/3517
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.