Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-564 (SQL注入:Hibernate) — Vulnerability Class 7

7 vulnerabilities classified as CWE-564 (SQL注入:Hibernate). AI Chinese analysis included.

CWE-564 represents a critical SQL Injection weakness specific to the Hibernate ORM framework, occurring when developers construct dynamic HQL or native SQL queries using unsanitized user-controlled input. Attackers exploit this vulnerability by injecting malicious SQL fragments into input fields, thereby altering the intended query logic or executing arbitrary database commands. This manipulation can lead to unauthorized data access, data modification, or complete system compromise. To prevent such exploits, developers must strictly avoid string concatenation for query construction. Instead, they should utilize Hibernate’s parameterized queries or prepared statements, which ensure that user input is treated strictly as data rather than executable code. Additionally, implementing robust input validation and adhering to the principle of least privilege for database accounts further mitigates the risk of successful injection attacks.

MITRE CWE Description
Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
Mitigations (5)
RequirementsA non-SQL style database which is not subject to this flaw may be chosen.
Architecture and DesignFollow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data.
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
ImplementationImplement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack.
ImplementationUse vigorous allowlist style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request.
Examples (1)
The following code excerpt uses Hibernate's HQL syntax to build a dynamic query that's vulnerable to SQL injection.
String street = getStreetFromUser(); Query query = session.createQuery("from Address a where a.street='" + street + "'");
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-4594 erupts erupt EruptJpaUtils.java geneEruptHqlOrderBy sql injection — erupt 7.3 High2026-03-23
CVE-2026-4593 erupts erupt MCP Tool EruptDataQuery.java EruptDataQuery sql injection — erupt 6.3 Medium2026-03-23
CVE-2026-23959 CoreShop Vulnerable to SQL Injection via Admin customer-company-modifier — CoreShop 4.9AIMediumAI2026-01-22
CVE-2026-22242 CoreShop Vulnerable to SQL Injection via Admin Reports — CoreShop 4.9 Medium2026-01-08
CVE-2025-8052 HQL Injection vulnerability has been discovered in Opentext Flipper. — Flipper 8.1AIHighAI2025-10-20
CVE-2024-48988 Apache StreamPark: SQL injection vulnerability — Apache StreamPark 9.8 -2025-08-22
CVE-2025-0959 Eventer - WordPress Event & Booking Manager Plugin <= 3.9.9.2 - Authenticated (Subscriber+) SQL Injection via reg_id — Eventer - WordPress Event & Booking Manager Plugin 8.8 High2025-03-07

Vulnerabilities classified as CWE-564 (SQL注入:Hibernate) represent 7 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.