Undergoing Analysis
CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.

Products

NHibernate

5.4.9

5.5.2

Source

security-advisories@github.com

CVE-2024-39677 details

Published : July 8, 2024, 3:15 p.m.
Last Modified : July 8, 2024, 3:49 p.m.

Description

NHibernate is an object-relational mapper for the .NET framework. A SQL injection vulnerability exists in some types implementing ILiteralType.ObjectToSQLString. Callers of these methods are exposed to the vulnerability, which includes mappings using inheritance with discriminator values; HQL queries referencing a static field of the application; users of the SqlInsertBuilder and SqlUpdateBuilder utilities, calling their AddColumn overload taking a literal value; and any direct use of the ObjectToSQLString methods for building SQL queries on the user side. This vulnerability is fixed in 5.4.9 and 5.5.2.

CVSS Score

1	2	3	4	5.9	6	7	8	9	10

Weakness

Weakness	Name	Description
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

5.9

Exploitability Score

2.2

Impact Score

3.6

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

URL	Source
https://github.com/nhibernate/nhibernate-core/commit/b4a69d1a5ff5744312478d70308329af496e4ba9	security-advisories@github.com
https://github.com/nhibernate/nhibernate-core/issues/3516	security-advisories@github.com
https://github.com/nhibernate/nhibernate-core/pull/3517	security-advisories@github.com
https://github.com/nhibernate/nhibernate-core/pull/3547	security-advisories@github.com
https://github.com/nhibernate/nhibernate-core/security/advisories/GHSA-fg4q-ccq8-3r5q	security-advisories@github.com

This website uses the NVD API, but is not approved or certified by it.

CVE-2024-39677

Products

Source

Tags

CVE-2024-39677 details

Description

CVSS Score

Weakness

CVSS Data

Attack Vector

Attack Complexity

Privileges Required

Scope

Confidentiality Impact

Integrity Impact

Availability Impact

Base Score

Exploitability Score

Impact Score

Base Severity

References