Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-3797

This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.

Published

2019-05-06T16:29:01.460

Last Modified

2024-11-21T04:42:33.580

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 3.5 (LOW)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-89
Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	pivotal_software	spring_data_java_persistence_api	≤ 1.11.19	Yes
Application	pivotal_software	spring_data_java_persistence_api	≤ 2.0.13	Yes
Application	pivotal_software	spring_data_java_persistence_api	≤ 2.1.5	Yes

References

https://pivotal.io/security/cve-2019-3797 Vendor Advisory ([email protected])
https://pivotal.io/security/cve-2019-3797 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)