Skip to content

[GHSA-2p5w-cvg5-gc5c] A flaw was found in Hibernate. A remote attacker with low...#7408

Merged
advisory-database[bot] merged 1 commit intokmoens/advisory-improvement-7408from
kmoens-GHSA-2p5w-cvg5-gc5c
Apr 16, 2026
Merged

[GHSA-2p5w-cvg5-gc5c] A flaw was found in Hibernate. A remote attacker with low...#7408
advisory-database[bot] merged 1 commit intokmoens/advisory-improvement-7408from
kmoens-GHSA-2p5w-cvg5-gc5c

Conversation

@kmoens
Copy link
Copy Markdown

@kmoens kmoens commented Apr 16, 2026

Updates

  • Affected products
  • Summary

Comments
The Red Hat advisory at https://access.redhat.com/security/cve/cve-2026-0603 mentions: Affected Hibernate ORM versions are 5.2.8 through 5.6.15 (inclusive); earlier versions are not affected.

Copilot AI review requested due to automatic review settings April 16, 2026 11:41
@github-actions github-actions bot changed the base branch from main to kmoens/advisory-improvement-7408 April 16, 2026 11:43
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the GHSA advisory record with a clearer summary and properly scoped affected Hibernate ORM versions based on the referenced Red Hat CVE information.

Changes:

  • Added a summary field to the advisory JSON.
  • Populated affected with Maven coordinates and a version range for org.hibernate:hibernate-core.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread advisories/unreviewed/2026/01/GHSA-2p5w-cvg5-gc5c/GHSA-2p5w-cvg5-gc5c.json
Comment on lines +23 to +35
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.2.8"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "< 5.6.16"
}
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ranges[].events declares only introduced, which (per OSV semantics) implies the package remains affected indefinitely. Since the advisory text states affected versions are 5.2.8 through 5.6.15 (inclusive), encode an explicit upper bound in events (e.g., add a fixed: \"5.6.16\" or use last_affected: \"5.6.15\"). Keeping the upper bound only in database_specific.last_known_affected_version_range can lead consumers that rely on ranges to incorrectly treat newer versions as vulnerable.

Copilot uses AI. Check for mistakes.
@advisory-database advisory-database bot merged commit b55f1bf into kmoens/advisory-improvement-7408 Apr 16, 2026
7 of 8 checks passed
@advisory-database
Copy link
Copy Markdown
Contributor

advisory-database bot commented Apr 16, 2026

Hi @kmoens! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the kmoens-GHSA-2p5w-cvg5-gc5c branch April 16, 2026 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kmoens