CVE-2019-3797 is a vulnerability in Pivotal Software Spring Data Java Persistence Api
Published on May 6, 2019
Additional information exposure with Spring Data JPA derived queries
This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates startingWith, endingWith or containing could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.
Weakness Type
What is a SQL Injection Vulnerability?
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CVE-2019-3797 has been classified to as a SQL Injection vulnerability or weakness.
Products Associated with CVE-2019-3797
Want to know whenever a new CVE is published for Pivotal Software Spring Data Java Persistence Api? stack.watch will email you.
Affected Versions
Spring Boot:- Version 2.0 and below v2.0.9.RELEASE is affected.
- Version 1.5 and below v1.5.20.RELEASE is affected.
- Version 2.1 and below v2.1.4.RELEASE is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.