Deepu105

**Name of the Vulnerable Software and Affected Versions** JHipster versions prior to 7.8.1 **Description** A SQL Injection vulnerability exists in entities for applications generated with the option "reactive with Spring WebFlux" enabled and an SQL database using r2dbc. This issue affects monolith and microservice applications with SQL database and reactive with Spring WebFlux combination, as well as Gateway applications with SQL database. The vulnerability is possible in the `findAllBy(Pageable pageable, Criteria criteria)` method of an entity repository class generated in these applications, as the where clause using Criteria for queries is not sanitized and user input is passed on as it is by the criteria. The root of the issue lies in the `EntityManager.java` class when creating the where clause via `Conditions.just(criteria.toString())`, where `just` accepts the literal string provided and Criteria's `toString` method returns a plain string, making it vulnerable to SQL injection. **Recommendations** For versions prior to 7.8.1, upgrade to version 7.8.1 or later to patch the vulnerability. As a temporary workaround, be careful when combining criterias and conditions, and avoid passing user-provided criteria to the `createSelect` method of `EntityManager`. Restrict access to the vulnerable `findAllBy(Pageable pageable, Criteria criteria)` method until the issue is resolved. Audit existing reactive applications generated by the impacted version for use of `Criteria` and take appropriate actions.