Description

Hibernate ORM is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. Hibernate Query Language (HQL) injection refers to an injection attack wherein an attacker tamper with the HQL query to execute malicious SQL statements that control a web application's database server.

Remediation

Use parameterized queries when dealing with HQL queries that contain user input. Parameterized queries allow the database to understand which parts of the HQL query should be considered as user input, therefore solving HQL injection.

References

CWE-564: SQL Injection: Hibernate

Hibernate

Related Vulnerabilities

WordPress Plugin Search Everything SQL Injection (8.1.6)

WordPress Plugin PureHTML 'alter.php' SQL Injection (1.0.0)

WordPress Plugin Registrations for the Events Calendar-Event Registration SQL Injection (2.7.5)

WordPress Plugin Registration Forms-User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction SQL Injection (3.0.9)

WordPress Plugin Spreadsheet (wpSS) 'ss_id' Parameter SQL Injection (0.61)

Severity

High

Classification

CWE-564 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Tags

SQL Injection