Hibernate Second-Order SQL Injection Vulnerability Allowing Information Disclosure and Data Manipulation

A second-order SQL injection vulnerability has been identified in Hibernate ORM versions 5.2.8 through 5.6.15. This vulnerability allows remote attackers with low privileges to exploit the InlineIdsOrClauseBuilder feature by injecting specially crafted, unsanitized non-alphanumeric characters into the ID column. The exploitation of this flaw could lead to unauthorized reading of sensitive information, such as system files, and allow attackers to manipulate or delete data within the application's database, causing a denial-of-service condition at the application level.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive application data, including system files, and allow for unauthorized modification or deletion of database records. Additionally, the vulnerability could be exploited to execute arbitrary SQL commands, potentially leading to execution of unauthorized code or commands on the server.

Reproduction

To reproduce this vulnerability, use a Hibernate application version 5.2.8 through 5.6.15 that implements the InlineIdsOrClauseBuilder strategy. Inject non-alphanumeric characters into the ID column, which will be processed unsanitized. This can be done by uploading a file with a crafted ID or by using a Python script that exploits the vulnerability. Once the injection is successful, the vulnerability can be demonstrated by deleting database entries or reading sensitive files like '/etc/passwd'.