Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities in hibernate-core #1697

Closed
MaximMoinat opened this issue Nov 23, 2020 · 5 comments · Fixed by #1728
Closed

Vulnerabilities in hibernate-core #1697

MaximMoinat opened this issue Nov 23, 2020 · 5 comments · Fixed by #1728
Assignees
@ssuvorov-fls
Milestone
V2.8.1

Comments

@MaximMoinat
Copy link
Contributor

We found a number of vulnerabilities (identified by Snyk) in the WebApi. Most of which can be fixed easily by updating the dependencies.

Issue

SQL Injection. Introduced through: org.hibernate:[email protected], org.hibernate:[email protected] and others

A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

Remediations

  • Upgrade to org.hibernate:[email protected]
  • Upgrade to org.hibernate:[email protected]
  • Reinstall the dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
@olga-ganina olga-ganina added this to the V2.8.0 - Backlog milestone Nov 24, 2020
@chrisknoll chrisknoll mentioned this issue Nov 24, 2020
Closed
@olga-ganina olga-ganina modified the milestones: Post 2.8, V2.8.1 Dec 22, 2020
ssuvorov-fls added a commit that referenced this issue Dec 30, 2020
@ssuvorov-fls
raised versions of hibernate(#1697)
3fcf2a5
@ssuvorov-fls ssuvorov-fls mentioned this issue Dec 30, 2020
Merged
ssuvorov-fls added a commit that referenced this issue Jan 12, 2021
@ssuvorov-fls
raised version of postgresql driver(#1697)
926d7af
chrisknoll pushed a commit that referenced this issue Jan 12, 2021
@ssuvorov-fls @chrisknoll
raised version of postgresql driver(#1697)
1e2fe2e
anton-abushkevich added a commit that referenced this issue Jan 14, 2021
@ssuvorov-fls @anton-abushkevich
raised versions of hibernate(#1697) (#1728)
ad2b7de 
Co-authored-by: Sergey Suvorov <[email protected]>
Co-authored-by: Anton Abushkevich <[email protected]>
@ssuvorov-fls
Copy link
Contributor

Eager loading is ignored in 5.4.24 org.hibernate:[email protected] so it was reverted to org.hibernate:[email protected]
Bug with absent eager loading - #1758

@chrisknoll
Copy link
Collaborator

Do you know if this works in 5.4.27?

@ssuvorov-fls
Copy link
Contributor

@chrisknoll
No, it doesn't, the last working version is 5.4.21

@chrisknoll
Copy link
Collaborator

chrisknoll commented Jan 28, 2021
edited
Loading

That's odd, i was hoping this was the issue that was in hibernate core: hibernate/hibernate-reactive#453

@ssuvorov-fls
Copy link
Contributor

Yes, it's very strange changes. After 5.4.21 hibernate does not generate sql for collections with eager fetching before such collections are used

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ssuvorov-fls ssuvorov-fls

Labels
None yet
Projects
None yet
Milestone
V2.8.1
Development

Successfully merging a pull request may close this issue.

raised versions of hibernate OHDSI/WebAPI
4 participants
@chrisknoll @MaximMoinat @ssuvorov-fls @olga-ganina