Platform
java
Component
spring-data-jpa
Fixed in
1.11.22.RELEASE
2.1.8.RELEASE
2.1.8.RELEASE
CVE-2019-3802 affects Spring Data JPA versions up to 2.1.8.RELEASE. This vulnerability stems from the ExampleMatcher component, specifically when using STARTING, ENDING, or CONTAINING string matchers. A malicious example value can cause the query to return more results than intended, potentially exposing sensitive data. A fix is available in version 2.1.8.RELEASE.
The primary impact of CVE-2019-3802 is information disclosure. An attacker could craft a malicious example value to trigger an excessively broad query, retrieving a larger-than-expected dataset from the database. This could expose sensitive information that the attacker would not normally be able to access. The severity is rated LOW, suggesting the attack requires specific conditions and is unlikely to lead to widespread compromise. However, the potential for data exposure warrants prompt remediation.
CVE-2019-3802 was publicly disclosed on June 3, 2019. There are no known active exploitation campaigns targeting this vulnerability. No public proof-of-concept exploits have been widely published. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.24% (48% percentile)
CVSS Vector
The recommended mitigation for CVE-2019-3802 is to upgrade to Spring Data JPA version 2.1.8.RELEASE or later. If upgrading is not immediately feasible, consider restricting the use of STARTING, ENDING, and CONTAINING string matchers within ExampleMatcher. Carefully validate and sanitize any user-supplied input used in example values to prevent malicious crafting. While a WAF cannot directly address this vulnerability, it can be configured to monitor for unusually large query responses and potentially block them.
Update Spring Data JPA to version 2.1.8.RELEASE or higher, or to version 1.11.22.RELEASE or higher. This corrects the vulnerability in ExampleMatcher that could return more results than expected with malicious example values.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-3802 is a LOW severity vulnerability in Spring Data JPA affecting versions up to 2.1.8.RELEASE. Malicious example values can cause excessive query results, potentially exposing sensitive data.
You are affected if you are using Spring Data JPA versions 1.11 through 2.1.8.RELEASE and utilize ExampleMatcher with STARTING, ENDING, or CONTAINING string matchers.
Upgrade to Spring Data JPA version 2.1.8.RELEASE or later. As a temporary workaround, restrict the use of vulnerable ExampleMatcher string matchers.
There are currently no known active exploitation campaigns targeting CVE-2019-3802, nor are there publicly available proof-of-concept exploits.
Refer to the Spring Data JPA release notes and security advisories on the Spring project website: https://spring.io/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.