PT-2019-16730 · Spring · Spring Data Jpa
Thaveethu Vignesh
·
Published
2019-06-03
·
Updated
2021-10-29
·
CVE-2019-3802
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Spring Data JPA versions prior to 2.1.7
Spring Data JPA versions 2.0.x up to and including 2.0.14
Spring Data JPA versions 1.11.x up to and including 1.11.20
Description
The issue affects the ExampleMatcher in Spring Data JPA, where using
ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING, or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied.Recommendations
For Spring Data JPA versions prior to 2.1.7, update to version 2.1.7 or later.
For Spring Data JPA versions 2.0.x up to and including 2.0.14, update to version 2.0.15 or later.
For Spring Data JPA versions 1.11.x up to and including 1.11.20, update to version 1.11.21 or later.
Fix
Information Disclosure
Improper Neutralization of Wildcards
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Spring Data Jpa