CVE-2019-3802 – org.springframework.data:spring-data-jpa

Package

Manager: maven
Name: org.springframework.data:spring-data-jpa
Vulnerable Version: >=2.1.0 <2.1.8 || >=2.0.0 <2.1.8 || >=0 <1.11.22

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00243 pctl0.47476

Details

Improper Neutralization of Wildcards or Matching Symbols This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied.

Metadata

Created: 2019-06-04T15:42:15Z
Modified: 2021-08-04T20:41:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-xggx-fx6w-v7ch/GHSA-xggx-fx6w-v7ch.json
CWE IDs: ["CWE-155", "CWE-200"]
Alternative ID: GHSA-xggx-fx6w-v7ch
Finding: F026
Auto approve: 1