CVE-2024-39677 MEDIUM

CVE-2024-39677: NHibernate SQL injection vulnerability in discriminator mappings, static fields referenced in HQL, and some utilities

Vendor Nhibernate
Product nhibernate-core
Weakness CWE-89 · SQLi
Published July 8, 2024
Last update August 2, 2024

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

NHibernate is an object-relational mapper for the .NET framework. A SQL injection vulnerability exists in some types implementing ILiteralType.ObjectToSQLString. Callers of these methods are exposed to the vulnerability, which includes mappings using inheritance with discriminator values; HQL queries referencing a static field of the application; users of the SqlInsertBuilder and SqlUpdateBuilder utilities, calling their AddColumn overload taking a literal value; and any direct use of the ObjectToSQLString methods for building SQL queries on the user side. This vulnerability is fixed in 5.4.9 and 5.5.2.

Key dates

02Disclosure timeline

July 8, 2024 CVE published
August 2, 2024 Record updated