Michael Holopainen

**Name of the Vulnerable Software and Affected Versions** Pivotal Spring Data JPA versions prior to 1.9.6 (Gosling SR6) Pivotal Spring Data JPA versions 1.10.x prior to 1.10.4 (Hopper SR4) **Description** The issue allows attackers to execute arbitrary JPQL commands via a sort instance with a function call, when used with a repository that defines a String query using the `@Query` annotation. **Recommendations** For Pivotal Spring Data JPA versions prior to 1.9.6 (Gosling SR6), update to version 1.9.6 or later. For Pivotal Spring Data JPA versions 1.10.x prior to 1.10.4 (Hopper SR4), update to version 1.10.4 or later. As a temporary workaround, consider restricting the use of the `@Query` annotation in repositories that define String queries.