CVE-2016-6652
- Source
- https://cve.org/CVERecord?id=CVE-2016-6652
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-6652.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2016-6652
- Aliases
- Published
- 2016-10-05T16:59:04.757Z
- Modified
- 2026-05-18T09:59:28.967706Z
- Severity
-
- 5.6 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- [none]
- Details
-
SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.
- References
Affected packages
Git / github.com/spring-projects/spring-data-jpa
Affected ranges
- Type
- GIT
- Repo
- https://github.com/spring-projects/spring-data-jpa
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affected
- Database specific
{ "cpe": [ "cpe:2.3:a:pivotal_software:spring_data_jpa:*:*:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_data_jpa:1.10.2:*:*:*:*:*:*:*" ], "source": "CPE_FIELD", "extracted_events": [ { "introduced": "0" }, { "last_affected": "1.9.4" }, { "last_affected": "1.10.2" } ] }
Affected versions
1.*
1.0.0.M1
1.0.0.M2
1.0.0.RC1
1.0.0.RELEASE
1.1.0.M1
1.1.0.RC1
1.1.0.RELEASE
1.10.0.M1
1.10.0.RC1
1.10.0.RELEASE
1.10.1.RELEASE
1.10.2.RELEASE
1.2.0.M1
1.2.0.RC1
1.2.0.RELEASE
1.3.0.RELEASE
1.4.0.M1
1.4.0.RC1
1.4.0.RELEASE
1.5.0.M1
1.5.0.RC1
1.5.0.RELEASE
1.6.0.M1
1.6.0.RC1
1.6.0.RELEASE
1.7.0.M1
1.7.0.RC1
1.7.0.RELEASE
1.8.0.M1
1.8.0.RC1
1.8.0.RELEASE
1.9.0.M1
1.9.0.RC1
1.9.0.RELEASE
1.9.1.RELEASE
1.9.2.RELEASE
1.9.4.RELEASE