{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"hibernate security update", "category":"general", "title":"Synopsis" }, { "text":"An update for hibernate is now available for openEuler-20.03-LTS-SP1.", "category":"general", "title":"Summary" }, { "text":"Hibernate is a powerful, high-performance, feature-rich and very popular ORM solution for Java. Hibernate facilitates development of persistent objects based on the common Java object model to mirror the underlying database structure. This approach progresses the business performance to some extent, advances development efficiency exceedingly and obtains preferable economical efficiency and practicability. Provides: hibernate-core = 5.0.10-6.oe1 Provides: hibernate-c3p0 = 5.0.10-6.oe1 Provides: hibernate-ehcache = 5.0.10-6.oe1 Provides: hibernate-entitymanager = 5.0.10-6.oe1 Provides: hibernate-envers = 5.0.10-6.oe1 Provides: hibernate-hikaricp = 5.0.10-6.oe1 Provides: hibernate-infinispan = 5.0.10-6.oe1 Provides: hibernate-java8 = 5.0.10-6.oe1 Provides: hibernate-osgi = 5.0.10-6.oe1 Provides: hibernate-parent = 5.0.10-6.oe1 Provides: hibernate-proxool = 5.0.10-6.oe1 Provides: hibernate-spatial = 5.0.10-6.oe1 Provides: hibernate-testing = 5.0.10-6.oe1 Provides: hibernate-javadoc = 5.0.10-6.oe1 Obsoletes: hibernate-core < 5.0.10-6.oe1 Obsoletes: hibernate-c3p0 < 5.0.10-6.oe1 Obsoletes: hibernate-ehcache < 5.0.10-6.oe1 Obsoletes: hibernate-entitymanager < 5.0.10-6.oe1 Obsoletes: hibernate-envers < 5.0.10-6.oe1 Obsoletes: hibernate-hikaricp < 5.0.10-6.oe1 Obsoletes: hibernate-infinispan < 5.0.10-6.oe1 Obsoletes: hibernate-java8 < 5.0.10-6.oe1 Obsoletes: hibernate-osgi < 5.0.10-6.oe1 Obsoletes: hibernate-parent < 5.0.10-6.oe1 Obsoletes: hibernate-proxool < 5.0.10-6.oe1 Obsoletes: hibernate-spatial < 5.0.10-6.oe1 Obsoletes: hibernate-testing < 5.0.10-6.oe1 Obsoletes: hibernate-javadoc < 5.0.10-6.oe1\n\nSecurity Fix(es):\n\nA flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.(CVE-2019-14900)", "category":"general", "title":"Description" }, { "text":"An update for hibernate is now available for openEuler-20.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"hibernate", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2021-1135", "category":"self", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1135" }, { "summary":"CVE-2019-14900", "category":"self", "url":"https://openeuler.org/en/security/cve/detail?cveId=CVE-2019-14900&packageName=hibernate" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14900" }, { "summary":"openEuler-SA-2021-1135 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2021/csaf-openeuler-sa-2021-1135.json" } ], "title":"An update for hibernate is now available for openEuler-20.03-LTS-SP1", "tracking":{ "initial_release_date":"2021-04-07T09:18:54+08:00", "revision_history":[ { "date":"2021-04-07T09:18:54+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:18:54+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:18:54+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:18:54+08:00", "id":"openEuler-SA-2021-1135", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"hibernate-5.0.10-8.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"hibernate-5.0.10-8.oe1.noarch.rpm" }, "name":"hibernate-5.0.10-8.oe1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"hibernate-5.0.10-8.oe1.src.rpm(20.03-LTS-SP1)", "name":"hibernate-5.0.10-8.oe1.src.rpm" }, "name":"hibernate-5.0.10-8.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"hibernate-5.0.10-8.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:hibernate-5.0.10-8.oe1.noarch", "name":"hibernate-5.0.10-8.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"hibernate-5.0.10-8.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:hibernate-5.0.10-8.oe1.src", "name":"hibernate-5.0.10-8.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2019-14900", "notes":[ { "text":"A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:hibernate-5.0.10-8.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-5.0.10-8.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:hibernate-5.0.10-8.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-5.0.10-8.oe1.src" ], "details":"hibernate security update", "category":"vendor_fix", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1135" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:hibernate-5.0.10-8.oe1.noarch", "openEuler-20.03-LTS-SP1:hibernate-5.0.10-8.oe1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2019-14900" } ] }