Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14cjR2LTI4cm0tcHZnd84AAbZp

Improper Neutralization of Special Elements used in an SQL Command Pivotal Spring Data JPA

SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.

Permalink: https://github.com/advisories/GHSA-xr4v-28rm-pvgw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cjR2LTI4cm0tcHZnd84AAbZp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago

CVSS Score: 5.6
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Identifiers: GHSA-xr4v-28rm-pvgw, CVE-2016-6652
References:

Repository: https://github.com/spring-projects/spring-data-jpa
Blast Radius: 25.8

Affected Packages

maven:org.springframework.data:spring-data-jpa

Dependent packages: 731
Dependent repositories: 41,140
Downloads:
Affected Version Ranges: >= 1.10.0, < 1.10.4, < 1.9.6
Fixed in: 1.10.4, 1.9.6
All affected versions:
All unaffected versions: 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.4.15, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.12, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.7.13, 2.7.14, 2.7.15, 2.7.16, 2.7.17, 2.7.18, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5