Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14cjR2LTI4cm0tcHZnd84AAbZp
Improper Neutralization of Special Elements used in an SQL Command Pivotal Spring Data JPA
SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.
Permalink: https://github.com/advisories/GHSA-xr4v-28rm-pvgwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cjR2LTI4cm0tcHZnd84AAbZp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 5.6
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-xr4v-28rm-pvgw, CVE-2016-6652
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-6652
- https://github.com/spring-projects/spring-data-jpa/commit/b8e7fe
- https://jira.spring.io/browse/DATAJPA-965
- https://pivotal.io/security/cve-2016-6652
- https://security.gentoo.org/glsa/201701-01
- http://www.securityfocus.com/bid/93276
- https://github.com/advisories/GHSA-xr4v-28rm-pvgw
Blast Radius: 25.8
Affected Packages
maven:org.springframework.data:spring-data-jpa
Dependent packages: 731Dependent repositories: 41,140
Downloads:
Affected Version Ranges: >= 1.10.0, < 1.10.4, < 1.9.6
Fixed in: 1.10.4, 1.9.6
All affected versions:
All unaffected versions: 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.4.15, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.12, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.7.13, 2.7.14, 2.7.15, 2.7.16, 2.7.17, 2.7.18, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5