GHSA-xr4v-28rm-pvgw

Suggest an improvement
Source
https://github.com/advisories/GHSA-xr4v-28rm-pvgw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xr4v-28rm-pvgw/GHSA-xr4v-28rm-pvgw.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xr4v-28rm-pvgw
Aliases
Published
2022-05-17T02:37:09Z
Modified
2023-11-01T04:47:06.443259Z
Severity
  • 5.6 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Improper Neutralization of Special Elements used in an SQL Command Pivotal Spring Data JPA
Details

SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.

Database specific
{
    "nvd_published_at": "2016-10-05T16:59:00Z",
    "github_reviewed_at": "2022-07-06T19:45:18Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

Maven / org.springframework.data:spring-data-jpa

Package

Name
org.springframework.data:spring-data-jpa
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.data/spring-data-jpa

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.6

Affected versions

1.*

1.0.0.RELEASE
1.0.1.RELEASE
1.0.2.RELEASE
1.0.3.RELEASE
1.1.0.RELEASE
1.1.1.RELEASE
1.1.2.RELEASE
1.2.0.RELEASE
1.2.1.RELEASE
1.3.0.RELEASE
1.3.1.RELEASE
1.3.2.RELEASE
1.3.3.RELEASE
1.3.4.RELEASE
1.3.5.RELEASE
1.4.0.RELEASE
1.4.1.RELEASE
1.4.2.RELEASE
1.4.3.RELEASE
1.4.4.RELEASE
1.4.5.RELEASE
1.5.0.RELEASE
1.5.1.RELEASE
1.5.2.RELEASE
1.5.3.RELEASE
1.6.0.RELEASE
1.6.1.RELEASE
1.6.2.RELEASE
1.6.4.RELEASE
1.6.5.RELEASE
1.6.6.RELEASE
1.7.0.RELEASE
1.7.1.RELEASE
1.7.2.RELEASE
1.7.3.RELEASE
1.7.4.RELEASE
1.8.0.RC1
1.8.0.RELEASE
1.8.1.RELEASE
1.8.2.RELEASE
1.9.0.RELEASE
1.9.1.RELEASE
1.9.2.RELEASE
1.9.4.RELEASE
1.9.5.RELEASE

Maven / org.springframework.data:spring-data-jpa

Package

Name
org.springframework.data:spring-data-jpa
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.data/spring-data-jpa

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.10.0
Fixed
1.10.4

Affected versions

1.*

1.10.0.RELEASE
1.10.1.RELEASE
1.10.2.RELEASE
1.10.3.RELEASE