CWE-564: SQL Injection: Hibernate

VariantIncomplete

Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
SQL
Platforms

Frequently Asked Questions

What is CWE-564: SQL Injection: Hibernate?+

CWE-564: SQL Injection: Hibernate is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

What are the security consequences of SQL Injection: Hibernate?+

If exploited, CWE-564 (SQL Injection: Hibernate) it can compromise Confidentiality and Integrity, leading to outcomes such as Read Application Data and Modify Application Data.

How do you prevent or mitigate SQL Injection: Hibernate?+

Recommended mitigations for CWE-564 include: A non-SQL style database which is not subject to this flaw may be chosen. Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others' data. Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack.

Which programming languages are affected by SQL Injection: Hibernate?+

CWE-564 commonly affects SQL. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-564 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More