Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-vdv3-7dwp-suab
Vulnerability ID VCID-vdv3-7dwp-suab
Aliases CVE-2020-25638
GHSA-j8jw-g6fq-mp7h
Summary SQL injection in hibernate-core A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-25638.json
epss 0.00633 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00633 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00676 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00676 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00844 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00844 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00844 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00844 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00844 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00844 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00844 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00844 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00844 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00844 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
epss 0.00844 https://api.first.org/data/v1/epss?cve=CVE-2020-25638
cvssv3.1 7.4 https://bugzilla.redhat.com/show_bug.cgi?id=1881353
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=1881353
ssvc Track https://bugzilla.redhat.com/show_bug.cgi?id=1881353
cvssv3.1 7.4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-j8jw-g6fq-mp7h
cvssv3.1 7.4 https://github.com/hibernate/hibernate-orm
generic_textual HIGH https://github.com/hibernate/hibernate-orm
cvssv3.1 7.4 https://github.com/hibernate/hibernate-orm/commit/36ebf7d3836e83e99f2a91777b5389e1daf1f2b7
generic_textual HIGH https://github.com/hibernate/hibernate-orm/commit/36ebf7d3836e83e99f2a91777b5389e1daf1f2b7
cvssv3.1 7.4 https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78
generic_textual HIGH https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78
cvssv3.1 7.4 https://github.com/hibernate/hibernate-orm/commit/d22bbb5c339c9df7712c3365bb1df97c91b35ec5
generic_textual HIGH https://github.com/hibernate/hibernate-orm/commit/d22bbb5c339c9df7712c3365bb1df97c91b35ec5
cvssv3.1 7.4 https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E
cvssv3.1 7.4 https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E
ssvc Track https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E
cvssv3.1 7.4 https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E
cvssv3.1 7.4 https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E
ssvc Track https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E
cvssv3.1 7.4 https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html
ssvc Track https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html
cvssv3.1 7.4 https://nvd.nist.gov/vuln/detail/CVE-2020-25638
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2020-25638
cvssv3.1 7.4 https://www.debian.org/security/2021/dsa-4908
generic_textual HIGH https://www.debian.org/security/2021/dsa-4908
ssvc Track https://www.debian.org/security/2021/dsa-4908
cvssv3.1 7.4 https://www.oracle.com/security-alerts/cpuapr2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpuapr2022.html
ssvc Track https://www.oracle.com/security-alerts/cpuapr2022.html
cvssv3.1 7.4 https://www.oracle.com//security-alerts/cpujul2021.html
generic_textual HIGH https://www.oracle.com//security-alerts/cpujul2021.html
ssvc Track https://www.oracle.com//security-alerts/cpujul2021.html
cvssv3.1 7.4 https://www.oracle.com/security-alerts/cpujul2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpujul2022.html
ssvc Track https://www.oracle.com/security-alerts/cpujul2022.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-25638.json
https://api.first.org/data/v1/epss?cve=CVE-2020-25638
https://bugzilla.redhat.com/show_bug.cgi?id=1881353
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25638
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/hibernate/hibernate-orm
https://github.com/hibernate/hibernate-orm/commit/36ebf7d3836e83e99f2a91777b5389e1daf1f2b7
https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78
https://github.com/hibernate/hibernate-orm/commit/d22bbb5c339c9df7712c3365bb1df97c91b35ec5
https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E
https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html
https://nvd.nist.gov/vuln/detail/CVE-2020-25638
https://www.debian.org/security/2021/dsa-4908
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujul2022.html
GHSA-j8jw-g6fq-mp7h https://github.com/advisories/GHSA-j8jw-g6fq-mp7h
r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E
rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E
RHSA-2020:5174 https://access.redhat.com/errata/RHSA-2020:5174
RHSA-2020:5175 https://access.redhat.com/errata/RHSA-2020:5175
RHSA-2020:5254 https://access.redhat.com/errata/RHSA-2020:5254
RHSA-2020:5302 https://access.redhat.com/errata/RHSA-2020:5302
RHSA-2020:5340 https://access.redhat.com/errata/RHSA-2020:5340
RHSA-2020:5341 https://access.redhat.com/errata/RHSA-2020:5341
RHSA-2020:5342 https://access.redhat.com/errata/RHSA-2020:5342
RHSA-2020:5344 https://access.redhat.com/errata/RHSA-2020:5344
RHSA-2020:5361 https://access.redhat.com/errata/RHSA-2020:5361
RHSA-2020:5388 https://access.redhat.com/errata/RHSA-2020:5388
RHSA-2020:5533 https://access.redhat.com/errata/RHSA-2020:5533
RHSA-2021:0292 https://access.redhat.com/errata/RHSA-2021:0292
RHSA-2021:0600 https://access.redhat.com/errata/RHSA-2021:0600
RHSA-2021:0603 https://access.redhat.com/errata/RHSA-2021:0603
RHSA-2021:2039 https://access.redhat.com/errata/RHSA-2021:2039
RHSA-2021:2561 https://access.redhat.com/errata/RHSA-2021:2561
RHSA-2021:2562 https://access.redhat.com/errata/RHSA-2021:2562
USN-6845-1 https://usn.ubuntu.com/6845-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-25638.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=1881353
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:32:13Z/ Found at https://bugzilla.redhat.com/show_bug.cgi?id=1881353
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/hibernate/hibernate-orm
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/hibernate/hibernate-orm/commit/36ebf7d3836e83e99f2a91777b5389e1daf1f2b7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/hibernate/hibernate-orm/commit/d22bbb5c339c9df7712c3365bb1df97c91b35ec5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:32:13Z/ Found at https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:32:13Z/ Found at https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:32:13Z/ Found at https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-25638
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.debian.org/security/2021/dsa-4908
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:32:13Z/ Found at https://www.debian.org/security/2021/dsa-4908
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.oracle.com/security-alerts/cpuapr2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:32:13Z/ Found at https://www.oracle.com/security-alerts/cpuapr2022.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.oracle.com//security-alerts/cpujul2021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:32:13Z/ Found at https://www.oracle.com//security-alerts/cpujul2021.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:32:13Z/ Found at https://www.oracle.com/security-alerts/cpujul2022.html
Exploit Prediction Scoring System (EPSS)
Percentile 0.70395
EPSS Score 0.00633
Published At April 21, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:06:36.999943+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-j8jw-g6fq-mp7h/GHSA-j8jw-g6fq-mp7h.json 38.0.0