CVE-2024-39677
CRITICAL EPSS 43.3%
Published Jul 8, 20241y ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Published Jul 8, 2024 1y ago
Last Modified Jun 17, 2026 1w ago
Description
NHibernate is an object-relational mapper for the .NET framework. A SQL injection vulnerability exists in some types implementing ILiteralType.ObjectToSQLString. Callers of these methods are exposed to the vulnerability, which includes mappings using inheritance with discriminator values; HQL queries referencing a static field of the application; users of the SqlInsertBuilder and SqlUpdateBuilder utilities, calling their AddColumn overload taking a literal value; and any direct use of the ObjectToSQLString methods for building SQL queries on the user side. This vulnerability is fixed in 5.4.9 and 5.5.2.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
43.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-89 SQL Injection Injection
Affected Products 2
| Vendor | Product | Version | Range |
|---|---|---|---|
| nhibernate | nhibernate-core | * | <5.4.9 |
| nhibernate | nhibernate-core | * | ≥5.5.0 – <5.5.2 |
References 5
- github.com https://github.com/nhibernate/nhibernate-core/commit/b4a69d1a5ff5744312478d70308329af496e4ba9
- github.com https://github.com/nhibernate/nhibernate-core/issues/3516
- github.com https://github.com/nhibernate/nhibernate-core/pull/3517
- github.com https://github.com/nhibernate/nhibernate-core/pull/3547
- github.com https://github.com/nhibernate/nhibernate-core/security/advisories/GHSA-fg4q-ccq8-3r5q
Remediation
- github.com https://github.com/nhibernate/nhibernate-core/commit/b4a69d1a5ff5744312478d70308329af496e4ba9
- github.com https://github.com/nhibernate/nhibernate-core/pull/3547