CVE-2016-6652 – org.springframework.data:spring-data-jpa

Package

Manager: maven
Name: org.springframework.data:spring-data-jpa
Vulnerable Version: >=0 <=1.9.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00317 pctl0.54151

Details

Improper Neutralization of Special Elements used in an SQL Command Pivotal Spring Data JPA SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.

Metadata

Created: 2022-05-17T02:37:09Z
Modified: 2022-07-06T19:45:18Z
Source: MANUAL
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-xr4v-28rm-pvgw
Finding: F106
Auto approve: 1