Platform
java
Component
spring-data-jpa
Fixed in
1.5.20.RELEASE
2.0.9.RELEASE
2.1.4.RELEASE
CVE-2019-3797 is a query injection vulnerability affecting Spring Data JPA versions up to and including 2.1.5, 2.0.13, and 1.11.19. Attackers can exploit this flaw by crafting malicious query parameters within derived queries using predicates like ‘startingWith’, ‘endingWith’, or ‘containing’, potentially leading to unintended data exposure. A fix is available in version 2.1.4.RELEASE.
This vulnerability allows an attacker to manipulate database queries through crafted input, potentially retrieving more data than intended. The impact ranges from unauthorized data disclosure to, in some cases, denial of service if the query overload impacts database performance. The risk is amplified in applications that directly expose user-supplied data in these predicates without proper sanitization. While the CVSS score is LOW, the ease of exploitation and potential for sensitive data leakage make this a significant concern, particularly in applications handling personally identifiable information (PII) or financial data. The vulnerability stems from a lack of proper escaping of reserved characters within LIKE expressions and derived queries.
CVE-2019-3797 was published on May 6, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on KEV or EPSS. Public proof-of-concept (POC) code is available, demonstrating the ease of exploitation, which increases the risk of future attacks if systems remain unpatched.
Exploit Status
EPSS
0.25% (48% percentile)
CVSS Vector
The primary mitigation is to upgrade to Spring Data JPA version 2.1.4.RELEASE or later, which includes the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all user-supplied data used in derived queries. Specifically, ensure that any parameters used with ‘startingWith’, ‘endingWith’, or ‘containing’ predicates are properly escaped to prevent query manipulation. WAF rules can be configured to detect and block suspicious query patterns containing these predicates with unusual characters. Thorough testing of all data access layers is crucial after applying any mitigation.
Actualice Spring Data JPA a las versiones 1.5.20.RELEASE, 2.0.9.RELEASE o 2.1.4.RELEASE o superior, según corresponda a su proyecto. Esto corrige la vulnerabilidad relacionada con las consultas derivadas y las expresiones LIKE.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-3797 is a query injection vulnerability affecting Spring Data JPA versions up to 2.1.5, allowing attackers to manipulate database queries through crafted input, potentially leading to data exposure.
If you are using Spring Data JPA versions 1.5–v2.1.4.RELEASE, 2.0.13, or 1.11.19, you are potentially affected by this vulnerability. Check your application's dependencies.
Upgrade to Spring Data JPA version 2.1.4.RELEASE or later. If immediate upgrade isn't possible, implement input validation and sanitization on user-supplied data used in queries.
While there's no confirmed active exploitation, public POC code exists, increasing the risk of future attacks if systems remain unpatched.
Refer to the Spring Security Vulnerability Updates page for details: https://spring.io/security/cve-2019-3797
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.