CVE-2024-39677

Published Jul 8, 2024

Last updated 3 months ago

CVSS critical 9.8

Overview

Description: NHibernate is an object-relational mapper for the .NET framework. A SQL injection vulnerability exists in some types implementing ILiteralType.ObjectToSQLString. Callers of these methods are exposed to the vulnerability, which includes mappings using inheritance with discriminator values; HQL queries referencing a static field of the application; users of the SqlInsertBuilder and SqlUpdateBuilder utilities, calling their AddColumn overload taking a literal value; and any direct use of the ObjectToSQLString methods for building SQL queries on the user side. This vulnerability is fixed in 5.4.9 and 5.5.2.
Source: security-advisories@github.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

nvd@nist.gov: CWE-89
security-advisories@github.com: CWE-89

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 2

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:nhibernate:nhibernate-core:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "23371DC1-350D-459D-AB4F-1E251FC87BB8",
            "versionEndExcluding": "5.4.9"
          },
          {
            "criteria": "cpe:2.3:a:nhibernate:nhibernate-core:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "09A1DB68-907D-4000-8F0C-8C2E8C699E7C",
            "versionEndExcluding": "5.5.2",
            "versionStartIncluding": "5.5.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References