CVE-2024-39677: NHibernate SQL injection vulnerability in discriminator mappings, static fields referenced in HQL, and some utilities
(updated )
A SQL injection vulnerability exists in some types implementing ILiteralType.ObjectToSQLString. Callers of these methods are exposed to the vulnerability, which includes:
- Mappings using inheritance with discriminator values:
- The discriminator value could be written in the mapping in a way exploiting the vulnerability of the associated discriminator type, if that type is among the vulnerable ones.
- The current culture settings for formatting the discriminator value type could be altered in a way resulting into SQL injections with the discriminator values.
- HQL queries referencing a static field of the application.
- Users of the
SqlInsertBuilderandSqlUpdateBuilderutilities, calling theirAddColumnoverload taking a literal value. These overloads are unused by NHibernate but could be used by users referencing directly these utilities. - Any direct use of the
ObjectToSQLStringmethods for building SQL queries on the user side.
References
- github.com/advisories/GHSA-fg4q-ccq8-3r5q
- github.com/nhibernate/nhibernate-core
- github.com/nhibernate/nhibernate-core/commit/b4a69d1a5ff5744312478d70308329af496e4ba9
- github.com/nhibernate/nhibernate-core/issues/3516
- github.com/nhibernate/nhibernate-core/pull/3517
- github.com/nhibernate/nhibernate-core/pull/3547
- github.com/nhibernate/nhibernate-core/security/advisories/GHSA-fg4q-ccq8-3r5q
- nvd.nist.gov/vuln/detail/CVE-2024-39677
Detect and mitigate CVE-2024-39677 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →