CVE-2019-14900

Name: CVE-2019-14900
Creator: NVD / NIST
Published: 2020-07-06T19:15:12.23+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 2.13%

Last modified Jun 17, 2026

CVE-2019-14900 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. EPSS estimates a 2.13% chance of exploitation in the next 30 days.

Description

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

2.13%

79.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-89

Affected Software

Vendor	Product	Versions
Hibernate	Hibernate Orm	< 5.3.18
Hibernate	Hibernate Orm	>= 5.4.0, < 5.4.18
Redhat	Build Of Quarkus	All versions
Redhat	Decision Manager	7.0
Redhat	Fuse	< 7.8.0
Redhat	Jboss Data Grid	7.0.0
Redhat	Jboss Enterprise Application Platform	All versions
Redhat	Jboss Middleware Text-Only Advisories	All versions
Redhat	Openstack	10
Redhat	Openstack	13
Redhat	Openstack	14
Redhat	Single Sign-On	All versions
Quarkus	Quarkus	<= 1.5.2
Redhat	Jboss Enterprise Application Platform	7.3
Redhat	Jboss Enterprise Application Platform	7.4
Redhat	Jboss Enterprise Application Platform	7.2

References

https://bugzilla.redhat.com/show_bug.cgi?id=1666499Issue Tracking, Third Party Advisory
https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E
https://security.netapp.com/advisory/ntap-20220210-0020/Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1666499Issue Tracking, Third Party Advisory
https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E
https://security.netapp.com/advisory/ntap-20220210-0020/Third Party Advisory

Timeline

Published: Jul 6, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-14900?

How severe is CVE-2019-14900?

CVE-2019-14900 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 2.13% probability of exploitation in the next 30 days.

How do I fix CVE-2019-14900?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-14900?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST