[hibernate-issues] [JIRA] (HHH-14077) CVE-2019-14900 SQL injection issue using JPA Criteria API

[Mike Kelly (JIRA)]

Mike Kelly ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A066cb73e-e283-405d-a1bd-28a8515a7c83 ) *commented* on HHH-14077 ( https://hibernate.atlassian.net/browse/HHH-14077?atlOrigin=eyJpIjoiZTcyNGUyOTNlMGJmNDcwOTkxM2VhMjVmNzU3MmE4MWEiLCJwIjoiaiJ9 )

Re: CVE-2019-14900 SQL injection issue using JPA Criteria API ( https://hibernate.atlassian.net/browse/HHH-14077?atlOrigin=eyJpIjoiZTcyNGUyOTNlMGJmNDcwOTkxM2VhMjVmNzU3MmE4MWEiLCJwIjoiaiJ9 )

The CVE for this implies this issue is fixed in 5.3.18, but this issue is not marked as fixed in that version (and that version does not appear to have been released).

Is 5.3 affected, and if so, is it planned to backport a fix for this to that branch? Right now, I don’t see an equivalent to https://github.com/hibernate/hibernate-orm/commit/3f3c1ab50604ab9ba99e25d2016fb85f3ba9dcd4 on the 5.3 branch.

( https://hibernate.atlassian.net/browse/HHH-14077#add-comment?atlOrigin=eyJpIjoiZTcyNGUyOTNlMGJmNDcwOTkxM2VhMjVmNzU3MmE4MWEiLCJwIjoiaiJ9 ) Add Comment ( https://hibernate.atlassian.net/browse/HHH-14077#add-comment?atlOrigin=eyJpIjoiZTcyNGUyOTNlMGJmNDcwOTkxM2VhMjVmNzU3MmE4MWEiLCJwIjoiaiJ9 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100140- sha1:454f3ac )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/hibernate-issues/attachments/20200728/f5637231/attachment.html