{"id":"CVE-2019-14900","details":"A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.","aliases":["GHSA-8grg-q944-cch5"],"modified":"2026-04-02T02:54:20.355145Z","published":"2020-07-06T19:15:12.230Z","related":["SUSE-SU-2020:2650-1","SUSE-SU-2020:2832-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220210-0020/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1666499"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hibernate/hibernate-orm","events":[{"introduced":"0"},{"fixed":"677568d2e62ef8614d192a3a81aed095bef38262"},{"introduced":"7759404259a8715927485fa1bc051da1f0dc9d9b"},{"fixed":"ab9de8e428df4202ae9ed22787a5d90f2e87203a"},{"introduced":"0"},{"last_affected":"9ff2e66565a8b398cf1015dafef3306ad0d31ba9"},{"introduced":"0"},{"last_affected":"9ff2e66565a8b398cf1015dafef3306ad0d31ba9"},{"introduced":"0"},{"last_affected":"a61e69fcd23df00d53c0e6a94ce8e6f020951d8c"},{"introduced":"0"},{"last_affected":"a61e69fcd23df00d53c0e6a94ce8e6f020951d8c"},{"introduced":"0"},{"last_affected":"a61e69fcd23df00d53c0e6a94ce8e6f020951d8c"},{"introduced":"0"},{"last_affected":"6f77c21e7e7dcf712b740c44b4437946ffdce23c"},{"introduced":"0"},{"last_affected":"6f77c21e7e7dcf712b740c44b4437946ffdce23c"},{"introduced":"0"},{"last_affected":"6f77c21e7e7dcf712b740c44b4437946ffdce23c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.3.18"},{"introduced":"5.4.0"},{"fixed":"5.4.18"},{"introduced":"0"},{"last_affected":"7.0"},{"introduced":"0"},{"last_affected":"7.0.0"},{"introduced":"0"},{"last_affected":"7.3"},{"introduced":"0"},{"last_affected":"7.3"},{"introduced":"0"},{"last_affected":"7.3"},{"introduced":"0"},{"last_affected":"7.2"},{"introduced":"0"},{"last_affected":"7.2"},{"introduced":"0"},{"last_affected":"7.2"}]}},{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"last_affected":"1a16fc7479f91522d1c7a0c29e24e2ac10465196"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.5.2"}]}}],"versions":["0.0.1","0.1.0","0.10.0","0.11.0","0.12.0","0.13.0","0.13.1","0.13.2","0.13.3","0.14.0","0.15.0","0.16.0","0.16.1","0.17.0","0.18.0","0.19.0","0.19.1","0.2.0","0.20.0","0.21.0","0.21.1","0.21.2","0.22.0","0.23.0","0.23.1","0.23.2","0.24.0","0.25.0","0.26.0","0.26.1","0.27.0","0.28.0","0.28.1","0.3.0","0.4.0","0.5.0","0.6.0","0.7.0","0.8.0","0.9.0","0.9.1","1.0.0.CR1","1.0.0.CR2","1.0.0.Final","1.0.1.Final","1.1.0.CR1","1.1.0.Final","1.1.1.Final","1.10.0.CR1","1.10.0.Final","1.10.1.Final","1.10.2.Final","1.10.3.Final","1.10.4.Final","1.10.5.Final","1.11.0.Beta1","1.11.0.Beta2","1.11.0.CR1","1.11.0.Final","1.11.1.Final","1.11.2.Final","1.11.3.Final","1.11.4.Final","1.11.5.Final","1.11.6.Final","1.11.7.Final","1.12.0.CR1","1.12.0.Final","1.12.1.Final","1.12.2.Final","1.13.0.CR1","1.13.0.Final","1.13.1.Final","1.13.2.Final","1.13.3.Final","1.13.4.Final","1.13.5.Final","1.13.6.Final","1.13.7.Final","1.2.0.CR1","1.2.0.Final","1.2.1.Final","1.3.0.Alpha1","1.3.0.Alpha2","1.3.0.CR1","1.3.0.CR2","1.3.0.Final","1.3.1.Final","1.3.2.Final","1.3.3.Final","1.3.4.Final","1.4.0.CR1","1.4.0.Final","1.4.1.Final","1.4.2.Final","1.5.0.CR1","1.5.0.Final","1.5.1.Final","1.5.2.Final","1.6.0.CR1","1.6.0.Final","1.6.1.Final","1.7.0.CR1","1.7.0.CR2","1.7.0.Final","1.7.1.Final","1.7.2.Final","1.7.3.Final","1.7.4.Final","1.7.5.Final","1.7.6.Final","1.8.0.CR1","1.8.0.Final","1.8.1.Final","1.8.2.Final","1.8.3.Final","1.9.0.CR1","1.9.0.Final","1.9.1.Final","1.9.2.Final","2.0.0.Alpha1","2.0.0.Alpha2","2.0.0.Alpha3","2.0.0.CR1","2.0.0.CR2","2.0.0.CR3","2.0.0.Final","2.0.1.Final","2.0.2.Final","2.0.3.Final","2.1.0.CR1","2.1.0.Final","2.1.1.Final","2.1.2.Final","2.1.3.Final","2.1.4.Final","2.10.0.CR1","2.10.0.Final","2.10.1.Final","2.10.2.Final","2.10.3.Final","2.10.4.Final","2.11.0.CR1","2.11.0.Final","2.11.1.Final","2.11.2.Final","2.11.3.Final","2.12.0.CR1","2.12.0.Final","2.12.1.Final","2.12.2.Final","2.12.3.Final","2.13.0.CR1","2.13.0.Final","2.13.1.Final","2.13.2.Final","2.13.3.Final","2.13.4.Final","2.13.5.Final","2.13.6.Final","2.13.7.Final","2.13.8.Final","2.13.9.Final","2.14.0.CR1","2.14.0.Final","2.14.1.Final","2.14.2.Final","2.14.3.Final","2.15.0.CR1","2.15.0.Final","2.15.1.Final","2.15.2.Final","2.15.3.Final","2.16.0.CR1","2.16.0.Final","2.16.1.Final","2.16.10.Final","2.16.11.Final","2.16.12.Final","2.16.2.Final","2.16.3.Final","2.16.4.Final","2.16.5.Final","2.16.6.Final","2.16.7.Final","2.16.8.Final","2.16.9.Final","2.2.0.CR1","2.2.0.Final","2.2.1.Final","2.2.2.Final","2.2.3.Final","2.2.4.Final","2.2.5.Final","2.3.0.CR1","2.3.0.Final","2.3.1.Final","2.4.0.CR1","2.4.0.Final","2.4.1.Final","2.4.2.Final","2.5.0.CR1","2.5.0.Final","2.5.1.Final","2.5.2.Final","2.5.3.Final","2.5.4.Final","2.6.0.CR1","2.6.0.Final","2.6.1.Final","2.6.2.Final","2.6.3.Final","2.7.0.CR1","2.7.0.Final","2.7.1.Final","2.7.2.Final","2.7.3.Final","2.7.4.Final","2.7.5.Final","2.7.6.Final","2.7.7.Final","2.8.0.CR1","2.8.0.Final","2.8.1.Final","2.8.2.Final","2.8.3.Final","2.9.0.CR1","2.9.0.Final","2.9.1.Final","2.9.2.Final","3.0.0.Alpha1","3.0.0.Alpha2","3.0.0.Alpha3","3.0.0.Alpha4","3.0.0.Alpha5","3.0.0.Alpha6","3.0.0.Beta1","3.0.0.CR1","3.0.0.CR2","3.0.0.Final","3.0.1.Final","3.0.2.Final","3.0.3.Final","3.0.4.Final","3.1.0.CR1","3.1.0.Final","3.1.1.Final","3.1.2.Final","3.1.3.Final","3.10.0","3.10.0.CR1","3.10.1","3.10.2","3.11.0","3.11.0.CR1","3.11.1","3.11.2","3.11.3","3.12.0","3.12.0.CR1","3.12.1","3.12.2","3.12.3","3.13.0","3.13.0.CR1","3.13.1","3.13.2","3.13.3","3.14.0","3.14.0.CR1","3.14.1","3.14.2","3.14.3","3.14.4","3.15.0","3.15.0.CR1","3.15.1","3.15.2","3.15.3","3.15.3.1","3.15.4","3.15.5","3.15.6","3.15.6.1","3.15.6.2","3.15.7","3.16.0","3.16.0.CR1","3.16.1","3.16.2","3.16.3","3.16.4","3.17.0","3.17.0.CR1","3.17.1","3.17.2","3.17.3","3.17.4","3.17.5","3.17.6","3.17.7","3.17.8","3.18.0","3.18.0.CR1","3.18.1","3.18.2","3.18.3","3.18.4","3.19.0","3.19.0.CR1","3.19.1","3.19.2","3.19.3","3.19.4","3.2.0.CR1","3.2.0.Final","3.2.1.Final","3.2.10.Final","3.2.11.Final","3.2.12.Final","3.2.2.Final","3.2.3.Final","3.2.4.Final","3.2.5.Final","3.2.6.Final","3.2.7.Final","3.2.8.Final","3.2.9.Final","3.20.0","3.20.0.CR1","3.20.1","3.20.2","3.20.2.1","3.20.2.2","3.20.3","3.20.4","3.20.5","3.21.0","3.21.0.CR1","3.21.1","3.21.2","3.21.3","3.21.4","3.22.0","3.22.0.CR1","3.22.1","3.22.2","3.22.3","3.23.0","3.23.0.CR1","3.23.1","3.23.2","3.23.3","3.23.4","3.24.0","3.24.0.CR1","3.24.1","3.24.2","3.24.3","3.24.4","3.24.5","3.25.0","3.25.0.CR1","3.25.1","3.25.2","3.25.3","3.25.4","3.26.0","3.26.0.CR1","3.26.1","3.26.2","3.26.3","3.26.4","3.27.0","3.27.0.CR1","3.27.1","3.27.2","3.28.0","3.28.0.CR1","3.28.1","3.28.2","3.28.3","3.28.4","3.28.5","3.29.0","3.29.0.CR1","3.29.1","3.29.2","3.29.3","3.29.4","3.3.0","3.3.0.CR1","3.3.1","3.3.2","3.3.3","3.30.0","3.30.0.CR1","3.30.1","3.30.2","3.30.3","3.30.4","3.30.5","3.30.6","3.31.0.CR1","3.4.0","3.4.0.CR1","3.4.1","3.4.2","3.4.3","3.5.0","3.5.0.CR1","3.5.1","3.5.2","3.5.3","3.6.0","3.6.0.Beta1","3.6.0.Beta2","3.6.0.Beta3","3.6.0.Beta4","3.6.0.CR1","3.6.0.CR2","3.6.0.Final","3.6.1","3.6.1.Final","3.6.10.Final","3.6.2","3.6.2.Final","3.6.3","3.6.3.Final","3.6.4","3.6.4.Final","3.6.5","3.6.5.Final","3.6.6","3.6.6.Final","3.6.7","3.6.7.Final","3.6.8","3.6.8.Final","3.6.9","3.6.9.Final","3.7.0","3.7.0.CR1","3.7.1","3.7.2","3.7.3","3.7.4","3.8.0","3.8.0.CR1","3.8.1","3.8.2","3.8.3","3.8.4","3.8.5","3.8.6","3.8.6.1","3.9.0","3.9.0.CR1","3.9.0.CR2","3.9.1","3.9.2","3.9.3","3.9.4","3.9.5","4.0.0.Alpha1","4.0.0.Alpha2","4.0.0.Alpha3","4.0.0.Beta1","4.0.0.Beta2","4.0.0.Beta3","4.0.0.Beta4","4.0.0.Beta5","4.0.0.CR1","4.0.0.CR2","4.0.0.CR3","4.0.0.CR4","4.0.0.CR5","4.0.0.CR6","4.0.0.CR7","4.0.0.Final","4.0.1","4.1.0.Final","4.1.1","4.1.10.Final","4.1.11.Final","4.1.12.Final","4.1.2","4.1.2.Final","4.1.3.Final","4.1.4.Final","4.1.5.Final","4.1.5.SP1","4.1.6.Final","4.1.7.Final","4.1.8.Final","4.1.9.Final","4.2.0.CR1","4.2.0.CR2","4.2.0.Final","4.2.0.SP1","4.2.1.Final","4.2.10.Final","4.2.11.Final","4.2.12.Final","4.2.13.Final","4.2.14.Final","4.2.15.Final","4.2.16.Final","4.2.17.Final","4.2.18.Final","4.2.19.Final","4.2.2.Final","4.2.20.Final","4.2.21.Final","4.2.22.Final","4.2.23.Final","4.2.24.Final","4.2.25.Final","4.2.26.Final","4.2.27.Final","4.2.3.Final","4.2.4.Final","4.2.5.Final","4.2.6.Final","4.2.7.Final","4.2.7.SP1","4.2.8.Final","4.2.9.Final","4.3.0.Beta1","4.3.0.Beta2","4.3.0.Beta3","4.3.0.Beta4","4.3.0.Beta5","4.3.0.CR1","4.3.0.CR2","4.3.0.Final","4.3.1.Final","4.3.10.Final","4.3.11.Final","4.3.2.Final","4.3.3.Final","4.3.4.Final","4.3.5.Final","4.3.6.Final","4.3.7.Final","4.3.8.Final","4.3.9.Final","5.0.0.Beta1","5.0.0.Beta2","5.0.0.CR1","5.0.0.CR2","5.0.0.CR3","5.0.0.CR4","5.0.0.Final","5.0.1.Final","5.0.10","5.0.11","5.0.12","5.0.13","5.0.14","5.0.15","5.0.16","5.0.2.Final","5.0.3","5.0.4","5.0.5","5.0.6","5.0.7","5.0.8","5.0.9","5.1.0","5.1.1","5.1.10","5.1.11","5.1.12","5.1.13","5.1.14","5.1.15","5.1.16","5.1.17","5.1.2","5.1.3","5.1.4","5.1.5","5.1.6","5.1.7","5.1.8","5.1.9","5.2.0","5.2.1","5.2.10","5.2.11","5.2.12","5.2.13","5.2.14","5.2.15","5.2.16","5.2.17","5.2.18","5.2.2","5.2.3","5.2.4","5.2.5","5.2.6","5.2.7","5.2.8","5.2.9","5.3.0.Beta1","5.3.0.Beta2","5.3.0.CR2","5.3.0.Final","5.3.1","5.3.10","5.3.11","5.3.12","5.3.13","5.3.14","5.3.15","5.3.16","5.3.17","5.3.2","5.3.3","5.3.4","5.3.5","5.3.6","5.3.7","5.3.8","5.3.9","5.4.0","5.4.0.CR1","5.4.0.CR2","5.4.1","5.4.10","5.4.11","5.4.12","5.4.13","5.4.14","5.4.15","5.4.16","5.4.17","5.4.2","5.4.3","5.4.4","5.4.5","5.4.6","5.4.7","5.4.8","5.4.9","5.5.0","5.5.0.Alpha1","5.5.0.Beta1","5.5.0.CR1","5.5.2","5.5.3","5.5.4","5.5.5","5.5.6","5.5.7","5.5.8","5.5.9","5.6.0","5.6.0.Beta1","5.6.0.Beta2","5.6.0.CR1","5.6.1","5.6.10","5.6.11","5.6.12","5.6.13","5.6.14","5.6.15","5.6.2","5.6.3","5.6.4","5.6.5","5.6.6","5.6.7","5.6.8","5.6.9","6.0.0","6.0.0.Alpha1","6.0.0.Alpha2","6.0.0.Alpha3","6.0.0.Alpha4","6.0.0.Alpha5","6.0.0.Alpha6","6.0.0.Alpha7","6.0.0.Alpha8","6.0.0.Alpha9","6.0.0.Beta1","6.0.0.Beta2","6.0.0.Beta3","6.0.0.CR1","6.0.0.CR2","6.0.1","6.0.2","6.1.0","6.1.1","6.1.2","6.1.3","6.1.4","6.1.5","6.1.6","6.1.7","6.2.0","6.2.0.CR1","6.2.0.CR2","6.2.0.CR3","6.2.0.CR4","6.2.1","6.2.11","6.2.12","6.2.13","6.2.14","6.2.15","6.2.16","6.2.17","6.2.18","6.2.19","6.2.2","6.2.20","6.2.21","6.2.22","6.2.23","6.2.24","6.2.25","6.2.26","6.2.27","6.2.28","6.2.3","6.2.30","6.2.31","6.2.32","6.2.33","6.2.34","6.2.35","6.2.36","6.2.37","6.2.38","6.2.39","6.2.4","6.2.40","6.2.41","6.2.42","6.2.43","6.2.44","6.2.45","6.2.46","6.2.47","6.2.48","6.2.49","6.2.5","6.2.50","6.2.6","6.2.7","6.2.8","6.2.9","6.3.0","6.3.0.CR1","6.3.1","6.3.2","6.4.0","6.4.0.CR1","6.4.1","6.4.10","6.4.2","6.4.3","6.4.4","6.4.5","6.4.6","6.4.7","6.4.8","6.4.9","6.5.0","6.5.0.CR1","6.5.0.CR2","6.5.1","6.5.2","6.5.3","6.6.0","6.6.0.Alpha1","6.6.0.CR1","6.6.0.CR2","6.6.1","6.6.10","6.6.11","6.6.12","6.6.13","6.6.14","6.6.15","6.6.16","6.6.17","6.6.18","6.6.19","6.6.2","6.6.20","6.6.21","6.6.22","6.6.23","6.6.24","6.6.25","6.6.26","6.6.27","6.6.28","6.6.29","6.6.3","6.6.30","6.6.31","6.6.32","6.6.33","6.6.34","6.6.35","6.6.36","6.6.37","6.6.38","6.6.39","6.6.4","6.6.40","6.6.41","6.6.42","6.6.43","6.6.44","6.6.45","6.6.46","6.6.5","6.6.6","6.6.7","6.6.8","6.6.9","7.0.0","7.0.0.Alpha1","7.0.0.Alpha2","7.0.0.Alpha3","7.0.0.Beta1","7.0.0.Beta2","7.0.0.Beta3","7.0.0.Beta4","7.0.0.Beta5","7.0.0.CR1","7.0.0.CR2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14900.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"7.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10"}]},{"events":[{"introduced":"0"},{"last_affected":"13"}]},{"events":[{"introduced":"0"},{"last_affected":"14"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}