<org.hibernate.sql.Select: java.lang.String toStatementString()>
at <org.hibernate.persister.entity.AbstractEntityPersister: java.lang.String renderSelect(int[],int[],int[])> (org.hibernate.persister.entity.AbstractEntityPersister.java:[3527]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.persister.entity.SingleTableEntityPersister: java.lang.String generateSequentialSelect(org.hibernate.persister.entity.Loadable)> (org.hibernate.persister.entity.SingleTableEntityPersister.java:[970]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.persister.entity.SingleTableEntityPersister: void postInstantiate()> (org.hibernate.persister.entity.SingleTableEntityPersister.java:[1019]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.internal.SessionFactoryImpl: void <init>(org.hibernate.cfg.Configuration,org.hibernate.engine.spi.Mapping,org.hibernate.service.ServiceRegistry,org.hibernate.cfg.Settings,org.hibernate.SessionFactoryObserver)> (org.hibernate.internal.SessionFactoryImpl.java:[422]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.cfg.Configuration: org.hibernate.SessionFactory buildSessionFactory(org.hibernate.service.ServiceRegistry)> (org.hibernate.cfg.Configuration.java:[1737]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.jmx.HibernateService: org.hibernate.SessionFactory buildSessionFactory()> (org.hibernate.jmx.HibernateService.java:[68]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.jmx.SessionFactoryStub: org.hibernate.SessionFactory getImpl()> (org.hibernate.jmx.SessionFactoryStub.java:[124]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.jmx.SessionFactoryStub: org.hibernate.Session getCurrentSession()> (org.hibernate.jmx.SessionFactoryStub.java:[119]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.onebusaway.geocoder.impl.DatabaseCachingGeocoderImpl: org.onebusaway.geocoder.model.GeocoderResults geocode(java.lang.String)> (org.onebusaway.geocoder.impl.DatabaseCachingGeocoderImpl.java:[45]) in /detect/unzip/onebusaway-application-modules-master/onebusaway-geocoder/target/classes
Hi, In onebusaway-application-modules/onebusaway-geocoder,there is a dependency org.hibernate:hibernate-core:4.0.1.Final that calls the risk method.
CVE-2020-25638
The scope of this CVE affected version is [,5.4.24)
After further analysis, in this project, the main Api called is <org.hibernate.sql.Update: java.lang.String toStatementString()>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 10
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.