Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities in hibernate-core #1697

Closed
MaximMoinat opened this issue Nov 23, 2020 · 5 comments · Fixed by #1728
Closed

Vulnerabilities in hibernate-core #1697

MaximMoinat opened this issue Nov 23, 2020 · 5 comments · Fixed by #1728
Assignees
@ssuvorov-fls
Projects
Atlas v2.8.1
Milestone
V2.8.1

Comments

@MaximMoinat
Copy link
Contributor

We found a number of vulnerabilities (identified by Snyk) in the WebApi. Most of which can be fixed easily by updating the dependencies.

Issue

SQL Injection. Introduced through: org.hibernate:hibernate-core@5.4.2.Final, org.hibernate:hibernate-entitymanager@5.4.2.Final and others

A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

Remediations
@olga-ganina olga-ganina added this to the V2.8.0 - Backlog milestone Nov 24, 2020
@olga-ganina olga-ganina added this to TO DO in Atlas v2.8 via automation Nov 24, 2020
@chrisknoll chrisknoll mentioned this issue Nov 24, 2020
Closed
@olga-ganina olga-ganina removed this from TO DO in Atlas v2.8 Nov 26, 2020
@olga-ganina olga-ganina modified the milestones: Post 2.8, V2.8.1 Dec 22, 2020
ssuvorov-fls added a commit that referenced this issue Dec 30, 2020
@ssuvorov-fls
raised versions of hibernate(#1697)
3fcf2a5
@ssuvorov-fls ssuvorov-fls mentioned this issue Dec 30, 2020
Merged
ssuvorov-fls added a commit that referenced this issue Jan 12, 2021
@ssuvorov-fls
raised version of postgresql driver(#1697)
926d7af
chrisknoll pushed a commit that referenced this issue Jan 12, 2021
@ssuvorov-fls @chrisknoll
raised version of postgresql driver(#1697)
1e2fe2e
anton-abushkevich added a commit that referenced this issue Jan 14, 2021
@ssuvorov-fls @anton-abushkevich
raised versions of hibernate(#1697) (#1728)
ad2b7de 
Co-authored-by: Sergey Suvorov <sergey.suvorov@odysseusinc.com>
Co-authored-by: Anton Abushkevich <anton.abushkevich@gmail.com>
@KSadomtsev KSadomtsev added this to To do in Atlas v2.8.1 via automation Jan 18, 2021
@KSadomtsev KSadomtsev moved this from To do to Done in Atlas v2.8.1 Jan 18, 2021
@ssuvorov-fls
Copy link
Contributor

Eager loading is ignored in 5.4.24 org.hibernate:hibernate-core@5.4.24.Final so it was reverted to org.hibernate:hibernate-core@5.4.21.Final
Bug with absent eager loading - #1758

@chrisknoll
Copy link
Collaborator

Do you know if this works in 5.4.27?

@ssuvorov-fls
Copy link
Contributor

@chrisknoll
No, it doesn't, the last working version is 5.4.21

@chrisknoll
Copy link
Collaborator

chrisknoll commented Jan 28, 2021
edited

That's odd, i was hoping this was the issue that was in hibernate core: hibernate/hibernate-reactive#453

@ssuvorov-fls
Copy link
Contributor

Yes, it's very strange changes. After 5.4.21 hibernate does not generate sql for collections with eager fetching before such collections are used

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ssuvorov-fls ssuvorov-fls

Labels
None yet
Projects
No open projects
Atlas v2.8.1
Done
Milestone
V2.8.1
Development

Successfully merging a pull request may close this issue.

raised versions of hibernate OHDSI/WebAPI
4 participants
@chrisknoll @MaximMoinat @ssuvorov-fls @olga-ganina