CWE-564 Hibernate SQL Injection
Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged ORM/query-builder usage where untrusted input is concatenated into a query string (HQL/JPQL/criteria-like strings). ORMs don't automatically prevent injection if you build query strings manually.
Why it matters
Injection is still possible when using ORM query strings unsafely.
- Data exfiltration: attackers can read more rows/columns than intended.
- Data tampering: modify or delete records.
- Auth bypass when login/role queries are injectable.
Safer examples
1) Use parameter binding (don't concatenate)
Always bind parameters instead of stitching user input into query strings.
2) Allowlist sort/filter fields
If you let users choose sort/field names, map choices to known column names rather than trusting raw input (see API01).
3) Use least-privilege DB accounts
Even with safe queries, restrict DB permissions to minimize blast radius.
How SiteShadow detects it (high level)
- Detects query string construction in ORM APIs and tracks untrusted values flowing into the query text.
- Flags cases where parameter binding is absent near database execution.
References
- CWE-564: https://cwe.mitre.org/data/definitions/564.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.