CVE-2024-49203

Name of the Vulnerable Software and Affected Versions Querydsl version 5.1.0 OpenFeign Querydsl version 6.8

Description The issue allows SQL/HQL injection in the orderBy clause of JPAQuery. This is possible when untrusted input is directly used in query construction. Note that the Querydsl community disputes this as an issue, stating the product is not intended to defend against such use.

Recommendations For Querydsl version 5.1.0, avoid using untrusted input directly in query construction to minimize the risk of SQL/HQL injection. For OpenFeign Querydsl version 6.8, restrict the use of untrusted input in the orderBy clause of JPAQuery until a proper fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.