CVE-2024-39677

Published Jul 8, 2024

Last updated 6 months ago

CVSS critical 9.8

Overview

Description
NHibernate is an object-relational mapper for the .NET framework. A SQL injection vulnerability exists in some types implementing ILiteralType.ObjectToSQLString. Callers of these methods are exposed to the vulnerability, which includes mappings using inheritance with discriminator values; HQL queries referencing a static field of the application; users of the SqlInsertBuilder and SqlUpdateBuilder utilities, calling their AddColumn overload taking a literal value; and any direct use of the ObjectToSQLString methods for building SQL queries on the user side. This vulnerability is fixed in 5.4.9 and 5.5.2.
Source
security-advisories@github.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

nvd@nist.gov
CWE-89
security-advisories@github.com
CWE-89

Social media

Hype score
Not currently trending

  1. If you come across a Windows IIS server, definitely scan the shortname and try to obtain the files by fuzzing, this may allow you to find vulnerabilities like 'CVE-2024-39677: NHibernate SQL Injection Vulnerability ' By:@ynsmroztas #BugBounty #bugbountytips https://t.co/3zT5jNW

    @RootMoksha

    14 Nov 2024

    5653 Impressions

    25 Retweets

    141 Likes

    89 Bookmarks

    1 Reply

    0 Quotes

  2. If you come across a Windows IIS server, definitely scan the shortname and try to obtain the files by fuzzing, this may allow you to find vulnerabilities like 'CVE-2024-39677: NHibernate SQL Injection Vulnerability ' 🥰🌹🥳🥳 #BugBounty #bugbountytips https://t.co/FCo1FbySPw

    @ynsmroztas

    9 Nov 2024

    15799 Impressions

    61 Retweets

    391 Likes

    295 Bookmarks

    9 Replies

    0 Quotes

Configurations

References