CVE-2024-39677: 
C# vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2024-39677) was discovered in NHibernate, an object-relational mapper for the .NET framework. The vulnerability exists in some types implementing ILiteralType.ObjectToSQLString and affects versions prior to 5.4.9 and 5.5.2. The issue was discovered in April 2024 and patched in July 2024 (GitHub Advisory).

The vulnerability stems from improper implementation of the ObjectToSQLString method in various ILiteralType implementations. The affected components include string handling, character types, datetime types, and numeric types. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL by NIST (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while GitHub assessed it with a score of 5.9 MEDIUM (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). The vulnerability is classified as CWE-89 (SQL Injection) (NVD).

The vulnerability affects several features in NHibernate: mappings using inheritance with discriminator values, HQL queries referencing static fields of the application, users of the SqlInsertBuilder and SqlUpdateBuilder utilities calling their AddColumn overload with literal values, and any direct use of the ObjectToSQLString methods for building SQL queries. The vulnerability could potentially allow attackers to inject malicious SQL code through these vectors (GitHub Advisory).

The vulnerability has been fixed in versions 5.4.9 and 5.5.2. For users unable to upgrade immediately, workarounds include avoiding the use of affected features, ensuring discriminator values in mappings do not contain quotes for string discriminators, and performing sanity checks of current culture settings when using types sensitive to culture (integers for negative values, dates, times, datetimes, floats, and decimals) (GitHub Advisory).