Mike Kelly ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058%... ) *commented* on HHH-14077 ( https://hibernate.atlassian.net/browse/HHH-14077?atlOrigin=eyJpIjoiZTcyNG... ) Re: CVE-2019-14900 SQL injection issue using JPA Criteria API ( https://hibernate.atlassian.net/browse/HHH-14077?atlOrigin=eyJpIjoiZTcyNG... ) The CVE for this implies this issue is fixed in 5.3.18, but this issue is not marked as fixed in that version (and that version does not appear to have been released). Is 5.3 affected, and if so, is it planned to backport a fix for this to that branch? Right now, I don’t see an equivalent to https://github.com/hibernate/hibernate-orm/commit/3f3c1ab50604ab9ba99e25d... on the 5.3 branch. ( https://hibernate.atlassian.net/browse/HHH-14077#add-comment?atlOrigin=ey... ) Add Comment ( https://hibernate.atlassian.net/browse/HHH-14077#add-comment?atlOrigin=ey... ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.... ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=Em... ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100140- sha1:454f3ac )