CWE-564 Hibernate SQL Injection
What this means
SiteShadow flagged ORM/query-builder usage where untrusted input is concatenated into a query string (HQL/JPQL/criteria-like strings). ORMs don't automatically prevent injection if you build query strings manually.
Why it matters
Injection is still possible when using ORM query strings unsafely.
- Data exfiltration: attackers can read more rows/columns than intended.
- Data tampering: modify or delete records.
- Auth bypass when login/role queries are injectable.
Safer examples
1) Use parameter binding (don't concatenate)
Always bind parameters instead of stitching user input into query strings.
2) Allowlist sort/filter fields
If you let users choose sort/field names, map choices to known column names rather than trusting raw input (see API01).
3) Use least-privilege DB accounts
Even with safe queries, restrict DB permissions to minimize blast radius.
How SiteShadow detects it (high level)
- Detects query string construction in ORM APIs and tracks untrusted values flowing into the query text.
- Flags cases where parameter binding is absent near database execution.
References
- CWE-564: https://cwe.mitre.org/data/definitions/564.html
---