CVE-2016-6652

Name of the Vulnerable Software and Affected Versions Pivotal Spring Data JPA versions prior to 1.9.6 (Gosling SR6) Pivotal Spring Data JPA versions 1.10.x prior to 1.10.4 (Hopper SR4)

Description The issue allows attackers to execute arbitrary JPQL commands via a sort instance with a function call, when used with a repository that defines a String query using the @Query annotation.

Recommendations For Pivotal Spring Data JPA versions prior to 1.9.6 (Gosling SR6), update to version 1.9.6 or later. For Pivotal Spring Data JPA versions 1.10.x prior to 1.10.4 (Hopper SR4), update to version 1.10.4 or later. As a temporary workaround, consider restricting the use of the @Query annotation in repositories that define String queries.