CVE-2019-3797

Name of the Vulnerable Software and Affected Versions Spring Data JPA versions up to and including 2.1.5 Spring Data JPA version 2.0.13 Spring Data JPA version 1.11.19

Description The issue affects derived queries that use certain predicates, such as startingWith, endingWith, or containing. When a maliciously crafted query parameter value is supplied, these queries could return more results than anticipated. Additionally, LIKE expressions in manually defined queries may return unexpected results if the parameter values bound do not have escaped reserved characters properly.

Recommendations For Spring Data JPA version 2.1.5, update to a version that includes the necessary fixes to prevent unexpected query results. For Spring Data JPA version 2.0.13, update to a version that includes the necessary fixes to prevent unexpected query results. For Spring Data JPA version 1.11.19, update to a version that includes the necessary fixes to prevent unexpected query results. As a temporary workaround, consider properly escaping reserved characters in query parameter values to minimize the risk of exploitation.