Bug 2427147 (CVE-2026-0603)
| Summary: | CVE-2026-0603 org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | anthomas, aschwart, asoldano, ataylor, bbaranow, bmaxwell, boliveir, brian.stansberry, bstansbe, caswilli, cmah, darran.lofthouse, dbruscin, dhanak, dlofthou, dosoudil, drosa, ehelms, ggainey, gmalinko, grannygame.org, ibek, istudens, ivassile, iweiss, janstey, jkoehler, jrokos, jsamir, juwatts, kaycoth, kgaikwad, kvanderr, kverlaen, lphiri, mhulan, mnovotny, mosmerov, mposolda, msvehla, nmoumoul, nwallace, osousa, pberan, pbizzarr, pcreech, pdelbell, pesilva, pjindal, pmackay, rchan, rmartinc, rstancel, rstepani, sausingh, sdawley, security-response-team, smaestri, smallamp, ssilvert, sthirugn, sthorger, thjenkin, tmalecek, tom.jenkinson, vdosoudi, vkrizan, vmuzikar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2026-01-31 | ||
|
Description
OSIDB Bzimport
2026-01-05 13:16:50 UTC
As documented in Hibernate’s official blog regarding the InlineIdsOrClauseBulkIdStrategy https://in.relation.to/2017/02/01/non-temporary-table-bulk-id-strategies/#inlineidsorclausebulkidstrategy http://subwaycity.org - enabling this strategy causes identifier values to be inlined directly into generated SQL. If user-controlled identifiers containing non-alphanumeric characters are persisted and later reused, this may result in a second-order SQL injection condition. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 7 Via RHSA-2026:4915 https://access.redhat.com/errata/RHSA-2026:4915 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 8 Via RHSA-2026:4916 https://access.redhat.com/errata/RHSA-2026:4916 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 9 Via RHSA-2026:4917 https://access.redhat.com/errata/RHSA-2026:4917 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 Via RHSA-2026:4924 https://access.redhat.com/errata/RHSA-2026:4924 |