Plattform
java
Komponente
spring-data-jpa
Behoben in
1.5.20.RELEASE
2.0.9.RELEASE
2.1.4.RELEASE
CVE-2019-3797 is a query injection vulnerability affecting Spring Data JPA versions up to and including 2.1.5, 2.0.13, and 1.11.19. Attackers can exploit this flaw by crafting malicious query parameters within derived queries using predicates like ‘startingWith’, ‘endingWith’, or ‘containing’, potentially leading to unintended data exposure. A fix is available in version 2.1.4.RELEASE.
This vulnerability allows an attacker to manipulate database queries through crafted input, potentially retrieving more data than intended. The impact ranges from unauthorized data disclosure to, in some cases, denial of service if the query overload impacts database performance. The risk is amplified in applications that directly expose user-supplied data in these predicates without proper sanitization. While the CVSS score is LOW, the ease of exploitation and potential for sensitive data leakage make this a significant concern, particularly in applications handling personally identifiable information (PII) or financial data. The vulnerability stems from a lack of proper escaping of reserved characters within LIKE expressions and derived queries.
CVE-2019-3797 was published on May 6, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on KEV or EPSS. Public proof-of-concept (POC) code is available, demonstrating the ease of exploitation, which increases the risk of future attacks if systems remain unpatched.
Exploit-Status
EPSS
0.25% (48% Perzentil)
CVSS-Vektor
The primary mitigation is to upgrade to Spring Data JPA version 2.1.4.RELEASE or later, which includes the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all user-supplied data used in derived queries. Specifically, ensure that any parameters used with ‘startingWith’, ‘endingWith’, or ‘containing’ predicates are properly escaped to prevent query manipulation. WAF rules can be configured to detect and block suspicious query patterns containing these predicates with unusual characters. Thorough testing of all data access layers is crucial after applying any mitigation.
Aktualisieren Sie Spring Data JPA auf die Versionen 1.5.20.RELEASE, 2.0.9.RELEASE oder 2.1.4.RELEASE oder höher, je nach den Anforderungen Ihres Projekts. Dies behebt die Schwachstelle im Zusammenhang mit abgeleiteten Abfragen und LIKE-Ausdrücken.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-3797 is a query injection vulnerability affecting Spring Data JPA versions up to 2.1.5, allowing attackers to manipulate database queries through crafted input, potentially leading to data exposure.
If you are using Spring Data JPA versions 1.5–v2.1.4.RELEASE, 2.0.13, or 1.11.19, you are potentially affected by this vulnerability. Check your application's dependencies.
Upgrade to Spring Data JPA version 2.1.4.RELEASE or later. If immediate upgrade isn't possible, implement input validation and sanitization on user-supplied data used in queries.
While there's no confirmed active exploitation, public POC code exists, increasing the risk of future attacks if systems remain unpatched.
Refer to the Spring Security Vulnerability Updates page for details: https://spring.io/security/cve-2019-3797
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.