Dependency org.hibernate:hibernate-core, leading to CVE problem

[CVEDetect]

Hi, In biubiu，there is a dependency org.hibernate:hibernate-core:4.3.8.Final that calls the risk method.

CVE-2020-25638

The scope of this CVE affected version is [,5.4.24.Final)

After further analysis, in this project, the main Api called is <org.hibernate.sql.Insert: java.lang.String toStatementString()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

<org.hibernate.sql.Insert: java.lang.String toStatementString()>
at <org.hibernate.persister.entity.AbstractEntityPersister: java.lang.String generateIdentityInsertString(boolean[])> (org.hibernate.persister.entity.AbstractEntityPersister.java:[2790]) in /.m2/repository/org/hibernate/hibernate-core/4.3.8.Final/hibernate-core-4.3.8.Final.jar
at <org.hibernate.persister.entity.AbstractEntityPersister: void doLateInit()> (org.hibernate.persister.entity.AbstractEntityPersister.java:[4012]) in /.m2/repository/org/hibernate/hibernate-core/4.3.8.Final/hibernate-core-4.3.8.Final.jar
at <org.hibernate.persister.entity.AbstractEntityPersister: void postInstantiate()> (org.hibernate.persister.entity.AbstractEntityPersister.java:[4015]) in /.m2/repository/org/hibernate/hibernate-core/4.3.8.Final/hibernate-core-4.3.8.Final.jar
at <org.hibernate.internal.SessionFactoryImpl: void <init>(org.hibernate.cfg.Configuration,org.hibernate.engine.spi.Mapping,org.hibernate.service.ServiceRegistry,org.hibernate.cfg.Settings,org.hibernate.SessionFactoryObserver)> (org.hibernate.internal.SessionFactoryImpl.java:[481]) in /.m2/repository/org/hibernate/hibernate-core/4.3.8.Final/hibernate-core-4.3.8.Final.jar
at <org.hibernate.cfg.Configuration: org.hibernate.SessionFactory buildSessionFactory(org.hibernate.service.ServiceRegistry)> (org.hibernate.cfg.Configuration.java:[1859]) in /.m2/repository/org/hibernate/hibernate-core/4.3.8.Final/hibernate-core-4.3.8.Final.jar
at <com.utils.HibernateUtils: void <clinit>()> (com.utils.HibernateUtils.java:[33]) in /detect/unzip/biubiu-master/target/classes

Dependency tree--

[INFO] com:biubiu:war:1.0-SNAPSHOT
[INFO] +- org.apache.tomcat:tomcat-servlet-api:jar:8.5.15:provided
[INFO] +- org.apache.tomcat:tomcat-jsp-api:jar:8.5.15:provided
[INFO] |  \- org.apache.tomcat:tomcat-el-api:jar:8.5.15:provided
[INFO] +- org.apache.tomcat:tomcat-websocket:jar:8.5.15:provided
[INFO] |  +- org.apache.tomcat:tomcat-juli:jar:8.5.15:provided
[INFO] |  \- org.apache.tomcat:tomcat-util:jar:8.5.15:provided
[INFO] +- org.apache.tomcat:tomcat-websocket-api:jar:8.5.15:provided
[INFO] +- javax.servlet:jstl:jar:1.2:compile
[INFO] +- org.apache.struts:struts2-core:jar:2.3.34:compile
[INFO] |  +- org.apache.struts.xwork:xwork-core:jar:2.3.34:compile
[INFO] |  |  +- asm:asm:jar:3.3:compile
[INFO] |  |  \- asm:asm-commons:jar:3.3:compile
[INFO] |  |     \- asm:asm-tree:jar:3.3:compile
[INFO] |  +- org.freemarker:freemarker:jar:2.3.22:compile
[INFO] |  +- ognl:ognl:jar:3.0.21:compile
[INFO] |  +- commons-fileupload:commons-fileupload:jar:1.3.2:compile
[INFO] |  \- commons-io:commons-io:jar:2.2:compile
[INFO] +- net.sf.json-lib:json-lib:jar:jdk15:2.4:compile
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.8.0:compile
[INFO] |  +- commons-collections:commons-collections:jar:3.2.1:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.5:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |  \- net.sf.ezmorph:ezmorph:jar:1.0.6:compile
[INFO] +- org.apache.struts:struts2-json-plugin:jar:2.3.24:compile
[INFO] |  \- org.apache.commons:commons-lang3:jar:3.2:compile
[INFO] +- org.hibernate:hibernate-core:jar:4.3.8.Final:compile
[INFO] |  +- org.jboss.logging:jboss-logging:jar:3.1.3.GA:compile
[INFO] |  +- org.jboss.logging:jboss-logging-annotations:jar:1.2.0.Beta1:compile
[INFO] |  +- org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:jar:1.0.0.Final:compile
[INFO] |  +- dom4j:dom4j:jar:1.6.1:compile
[INFO] |  |  \- xml-apis:xml-apis:jar:1.0.b2:compile
[INFO] |  +- org.hibernate.common:hibernate-commons-annotations:jar:4.0.5.Final:compile
[INFO] |  +- org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:compile
[INFO] |  +- org.javassist:javassist:jar:3.18.1-GA:compile
[INFO] |  +- antlr:antlr:jar:2.7.7:compile
[INFO] |  \- org.jboss:jandex:jar:1.1.0.Final:compile
[INFO] +- org.hibernate:hibernate-proxool:jar:4.3.8.Final:compile
[INFO] |  \- proxool:proxool:jar:0.8.3:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.7:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.2.0:compile
[INFO] +- ch.qos.logback:logback-core:jar:1.2.0:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.16:compile
[INFO] |  \- com.google.protobuf:protobuf-java:jar:3.6.1:compile
[INFO] \- com.qcloud:cos_api:jar:4.4:compile
[INFO]    +- org.apache.httpcomponents:httpclient:jar:4.5.1:compile
[INFO]    +- org.apache.httpcomponents:httpcore:jar:4.4.3:compile
[INFO]    +- org.apache.httpcomponents:httpmime:jar:4.5.1:compile
[INFO]    +- org.json:json:jar:20140107:compile
[INFO]    +- commons-codec:commons-codec:jar:1.9:compile
[INFO]    \- junit:junit:jar:4.12:compile
[INFO]       \- org.hamcrest:hamcrest-core:jar:1.3:compile

Suggested solutions:

Update dependency version to 5.4.24.Final

Thank you very much.

[CVEDetect]

@coderzc Could please help me check this issue? May I pull a request to fix it? Thanks again.