1.5.20.RELEASE
2.0.9.RELEASE
2.1.4.RELEASE
CVE-2019-3797 is a query injection vulnerability affecting Spring Data JPA versions up to and including 2.1.5, 2.0.13, and 1.11.19. Attackers can exploit this flaw by crafting malicious query parameters within derived queries using predicates like ‘startingWith’, ‘endingWith’, or ‘containing’, potentially leading to unintended data exposure. A fix is available in version 2.1.4.RELEASE.
This vulnerability allows an attacker to manipulate database queries through crafted input, potentially retrieving more data than intended. The impact ranges from unauthorized data disclosure to, in some cases, denial of service if the query overload impacts database performance. The risk is amplified in applications that directly expose user-supplied data in these predicates without proper sanitization. While the CVSS score is LOW, the ease of exploitation and potential for sensitive data leakage make this a significant concern, particularly in applications handling personally identifiable information (PII) or financial data. The vulnerability stems from a lack of proper escaping of reserved characters within LIKE expressions and derived queries.
CVE-2019-3797 was published on May 6, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on KEV or EPSS. Public proof-of-concept (POC) code is available, demonstrating the ease of exploitation, which increases the risk of future attacks if systems remain unpatched.
エクスプロイト状況
EPSS
0.25% (48% パーセンタイル)
CVSS ベクトル
The primary mitigation is to upgrade to Spring Data JPA version 2.1.4.RELEASE or later, which includes the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all user-supplied data used in derived queries. Specifically, ensure that any parameters used with ‘startingWith’, ‘endingWith’, or ‘containing’ predicates are properly escaped to prevent query manipulation. WAF rules can be configured to detect and block suspicious query patterns containing these predicates with unusual characters. Thorough testing of all data access layers is crucial after applying any mitigation.
プロジェクトに応じて、Spring Data JPAをバージョン1.5.20.RELEASE、2.0.9.RELEASE、または2.1.4.RELEASE以上へアップデートしてください。これにより、派生クエリおよびLIKE式に関連する脆弱性が修正されます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2019-3797 is a query injection vulnerability affecting Spring Data JPA versions up to 2.1.5, allowing attackers to manipulate database queries through crafted input, potentially leading to data exposure.
If you are using Spring Data JPA versions 1.5–v2.1.4.RELEASE, 2.0.13, or 1.11.19, you are potentially affected by this vulnerability. Check your application's dependencies.
Upgrade to Spring Data JPA version 2.1.4.RELEASE or later. If immediate upgrade isn't possible, implement input validation and sanitization on user-supplied data used in queries.
While there's no confirmed active exploitation, public POC code exists, increasing the risk of future attacks if systems remain unpatched.
Refer to the Spring Security Vulnerability Updates page for details: https://spring.io/security/cve-2019-3797
pom.xml ファイルをアップロードすると、影響の有無を即座にお知らせします。