Описание
Improper Neutralization of Special Elements used in an SQL Command Pivotal Spring Data JPA
SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.
Пакеты
org.springframework.data:spring-data-jpa
< 1.9.6
1.9.6
org.springframework.data:spring-data-jpa
>= 1.10.0, < 1.10.4
1.10.4
Связанные уязвимости
SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.