Gail Badner ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058%... ) *created* an issue Hibernate ORM ( https://hibernate.atlassian.net/browse/HHH?atlOrigin=eyJpIjoiMzg0ZWZhMGE3... ) / Bug ( https://hibernate.atlassian.net/browse/HHH-14077?atlOrigin=eyJpIjoiMzg0ZW... ) HHH-14077 ( https://hibernate.atlassian.net/browse/HHH-14077?atlOrigin=eyJpIjoiMzg0ZW... ) CVE-2019-14900 SQL injection issue using JPA Criteria API ( https://hibernate.atlassian.net/browse/HHH-14077?atlOrigin=eyJpIjoiMzg0ZW... ) Issue Type: Bug Affects Versions: 5.3.16, 5.4.17 Assignee: Gail Badner ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058%... ) Components: query-criteria Created: 18/Jun/2020 11:20 AM Fix Versions: 5.5.0.Beta1, 5.3.18, 5.4.18 Priority: Blocker Reporter: Gail Badner ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058%... ) A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. ( https://hibernate.atlassian.net/browse/HHH-14077#add-comment?atlOrigin=ey... ) Add Comment ( https://hibernate.atlassian.net/browse/HHH-14077#add-comment?atlOrigin=ey... ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.... ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=Em... ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100129- sha1:b514962 )