Querydsl JPAQuery SQL/HQL Injection Vulnerability in orderBy Method
CVE-2024-49203 Published on November 20, 2024
Querydsl 5.1.0 and OpenFeign Querydsl 6.8 allows SQL/HQL injection in orderBy in JPAQuery. NOTE: this is disputed by a Querydsl community member because the product is not intended to defend against a developer who uses untrusted input directly in query construction.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-49203
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | io.github.openfeign.querydsl:querydsl-jpa | <= 6.8.0 | |
| maven | io.github.openfeign.querydsl:querydsl-apt | <= 6.8.0 | |
| maven | com.querydsl:querydsl-jpa | <= 5.1.0 | |
| maven | com.querydsl:querydsl-apt | <= 5.1.0 |
Exploit Probability
EPSS
0.21%
Percentile
43.71%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.