{ "threat_severity" : "Important", "public_date" : "2026-01-19T10:10:00Z", "bugzilla" : { "description" : "org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection", "id" : "2427147", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2427147" }, "cvss3" : { "cvss3_base_score" : "8.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "status" : "verified" }, "cwe" : "CWE-89", "details" : [ "A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.", "A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service." ], "statement" : "This vulnerability is rated Important for Red Hat products as it allows a remote attacker with low privileges to perform second-order SQL injection in applications using Hibernate's InlineIdsOrClauseBuilder with unsanitized non-alphanumeric characters in the ID column. This could lead to sensitive information disclosure and data manipulation or deletion.Affected Hibernate ORM versions are 5.2.8 through 5.6.15 (inclusive); earlier versions are not affected.", "acknowledgement" : "Red Hat would like to thank Christiaan Swiers (YouGina) and Tommy Williams (HeroDevs) for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6012", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-hibernate-0:5.1.17-4.Final_redhat_00005.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6012", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-0:7.1.14-4.GA_redhat_00003.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6011", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-hibernate-0:5.3.38-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6011", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-wildfly-0:7.3.17-5.GA_redhat_00006.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4", "release_date" : "2026-03-18T00:00:00Z", "advisory" : "RHSA-2026:4924", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "hibernate-core" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 7", "release_date" : "2026-03-18T00:00:00Z", "advisory" : "RHSA-2026:4915", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_els:7.4::el7", "package" : "eap7-hibernate-0:5.3.38-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 7", "release_date" : "2026-03-18T00:00:00Z", "advisory" : "RHSA-2026:4915", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_els:7.4::el7", "package" : "eap7-wildfly-0:7.4.24-4.GA_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 8", "release_date" : "2026-03-18T00:00:00Z", "advisory" : "RHSA-2026:4916", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_els:7.4::el8", "package" : "eap7-hibernate-0:5.3.38-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 8", "release_date" : "2026-03-18T00:00:00Z", "advisory" : "RHSA-2026:4916", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_els:7.4::el8", "package" : "eap7-wildfly-0:7.4.24-4.GA_redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 9", "release_date" : "2026-03-18T00:00:00Z", "advisory" : "RHSA-2026:4917", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_els:7.4::el9", "package" : "eap7-hibernate-0:5.3.38-1.Final_redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 9", "release_date" : "2026-03-18T00:00:00Z", "advisory" : "RHSA-2026:4917", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_els:7.4::el9", "package" : "eap7-wildfly-0:7.4.24-4.GA_redhat_00002.1.el9eap" } ], "package_state" : [ { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Affected", "package_name" : "hibernate-core", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Affected", "package_name" : "hibernate-core", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "hibernate-core", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "hibernate-core", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "hibernate-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "hibernate-core", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-trustyai-service-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-trustyai-service-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/openvsx-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/pluginregistry-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Affected", "package_name" : "hibernate-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite:el8/candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "hibernate-core", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-0603\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0603" ], "name" : "CVE-2026-0603", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }