CVE-2022-24815

Name of the Vulnerable Software and Affected Versions JHipster versions prior to 7.8.1

Description A SQL Injection vulnerability exists in entities for applications generated with the option "reactive with Spring WebFlux" enabled and an SQL database using r2dbc. This issue affects monolith and microservice applications with SQL database and reactive with Spring WebFlux combination, as well as Gateway applications with SQL database. The vulnerability is possible in the findAllBy(Pageable pageable, Criteria criteria) method of an entity repository class generated in these applications, as the where clause using Criteria for queries is not sanitized and user input is passed on as it is by the criteria. The root of the issue lies in the EntityManager.java class when creating the where clause via Conditions.just(criteria.toString()), where just accepts the literal string provided and Criteria's toString method returns a plain string, making it vulnerable to SQL injection.

Recommendations For versions prior to 7.8.1, upgrade to version 7.8.1 or later to patch the vulnerability. As a temporary workaround, be careful when combining criterias and conditions, and avoid passing user-provided criteria to the createSelect method of EntityManager. Restrict access to the vulnerable findAllBy(Pageable pageable, Criteria criteria) method until the issue is resolved. Audit existing reactive applications generated by the impacted version for use of Criteria and take appropriate actions.