NHibernate SQL injection vulnerability in discriminator mappings, static fields referenced in HQL, and some utilities
Description
NHibernate is an object-relational mapper for the .NET framework. A SQL injection vulnerability exists in some types implementing ILiteralType.ObjectToSQLString. Callers of these methods are exposed to the vulnerability, which includes mappings using inheritance with discriminator values; HQL queries referencing a static field of the application; users of the SqlInsertBuilder and SqlUpdateBuilder utilities, calling their AddColumn overload taking a literal value; and any direct use of the ObjectToSQLString methods for building SQL queries on the user side. This vulnerability is fixed in 5.4.9 and 5.5.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
NHibernateNuGet | < 5.4.9 | 5.4.9 |
NHibernateNuGet | >= 5.5.0, < 5.5.2 | 5.5.2 |
Affected products
2- Range: < 5.4.9
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-fg4q-ccq8-3r5qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-39677ghsaADVISORY
- github.com/nhibernate/nhibernate-core/commit/b4a69d1a5ff5744312478d70308329af496e4ba9ghsax_refsource_MISCWEB
- github.com/nhibernate/nhibernate-core/issues/3516ghsax_refsource_MISCWEB
- github.com/nhibernate/nhibernate-core/pull/3517ghsax_refsource_MISCWEB
- github.com/nhibernate/nhibernate-core/pull/3547ghsax_refsource_MISCWEB
- github.com/nhibernate/nhibernate-core/security/advisories/GHSA-fg4q-ccq8-3r5qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.