LOWCVE-2019-3797CVSS 3.5

Exposição adicional de informações com consultas derivadas do Spring Data JPA

Plataforma

java

Componente

spring-data-jpa

Corrigido em

1.5.20.RELEASE

2.0.9.RELEASE

2.1.4.RELEASE

AI Confidence: highNVDEPSS 0.2%Revisado: mai. de 2026

Ver no NVD

Salvar

Traduzindo para o seu idioma…

CVE-2019-3797 is a query injection vulnerability affecting Spring Data JPA versions up to and including 2.1.5, 2.0.13, and 1.11.19. Attackers can exploit this flaw by crafting malicious query parameters within derived queries using predicates like ‘startingWith’, ‘endingWith’, or ‘containing’, potentially leading to unintended data exposure. A fix is available in version 2.1.4.RELEASE.

Impacto e Cenários de Ataquetraduzindo…

This vulnerability allows an attacker to manipulate database queries through crafted input, potentially retrieving more data than intended. The impact ranges from unauthorized data disclosure to, in some cases, denial of service if the query overload impacts database performance. The risk is amplified in applications that directly expose user-supplied data in these predicates without proper sanitization. While the CVSS score is LOW, the ease of exploitation and potential for sensitive data leakage make this a significant concern, particularly in applications handling personally identifiable information (PII) or financial data. The vulnerability stems from a lack of proper escaping of reserved characters within LIKE expressions and derived queries.

Contexto de Exploraçãotraduzindo…

CVE-2019-3797 was published on May 6, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on KEV or EPSS. Public proof-of-concept (POC) code is available, demonstrating the ease of exploitation, which increases the risk of future attacks if systems remain unpatched.

Inteligência de Ameaças

Status do Exploit

Prova de ConceitoDesconhecido

CISA KEVNO

Exposição na InternetAlta

EPSS

0.25% (percentil 48%)

Vetor CVSS

Software Afetado

Componentespring-data-jpa

FornecedorSpring

Faixa afetadaCorrigido em

1.5 – 1.5.19.RELEASE1.5.20.RELEASE

2.0 – 2.0.8.RELEASE2.0.9.RELEASE

2.1 – 2.1.3.RELEASE2.1.4.RELEASE

Classificação de Fraqueza (CWE)

CWE-89

Linha do tempo

Reservado2019-01-03
Publicada2019-05-06
Modificada2024-09-16
EPSS atualizado2026-04-02

Mitigação e Soluções Alternativastraduzindo…

The primary mitigation is to upgrade to Spring Data JPA version 2.1.4.RELEASE or later, which includes the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all user-supplied data used in derived queries. Specifically, ensure that any parameters used with ‘startingWith’, ‘endingWith’, or ‘containing’ predicates are properly escaped to prevent query manipulation. WAF rules can be configured to detect and block suspicious query patterns containing these predicates with unusual characters. Thorough testing of all data access layers is crucial after applying any mitigation.

Como corrigir

Atualize o Spring Data JPA para as versões 1.5.20.RELEASE, 2.0.9.RELEASE ou 2.1.4.RELEASE ou superior, conforme apropriado para o seu projeto. Isso corrige a vulnerabilidade relacionada com as consultas derivadas e as expressões LIKE.

Boletim de Segurança CVE

Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.

Perguntas frequentestraduzindo…

What is CVE-2019-3797 — Query Injection in Spring Data JPA?

CVE-2019-3797 is a query injection vulnerability affecting Spring Data JPA versions up to 2.1.5, allowing attackers to manipulate database queries through crafted input, potentially leading to data exposure.

Am I affected by CVE-2019-3797 in Spring Data JPA?

If you are using Spring Data JPA versions 1.5–v2.1.4.RELEASE, 2.0.13, or 1.11.19, you are potentially affected by this vulnerability. Check your application's dependencies.

How do I fix CVE-2019-3797 in Spring Data JPA?

Upgrade to Spring Data JPA version 2.1.4.RELEASE or later. If immediate upgrade isn't possible, implement input validation and sanitization on user-supplied data used in queries.

Is CVE-2019-3797 being actively exploited?

While there's no confirmed active exploitation, public POC code exists, increasing the risk of future attacks if systems remain unpatched.

Where can I find the official Spring Data JPA advisory for CVE-2019-3797?

Refer to the Spring Security Vulnerability Updates page for details: https://spring.io/security/cve-2019-3797

NextGuard

Vulnerabilidades

O que significam essas métricas?

Attack Vector: Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
Attack Complexity: Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
Privileges Required: Baixo — qualquer conta de usuário válida é suficiente.
User Interaction: Necessária — a vítima deve abrir um arquivo, clicar em um link ou visitar uma página.
Scope: Inalterado — impacto limitado ao componente vulnerável.
Confidentiality: Baixo — acesso parcial ou indireto a alguns dados.
Integrity: Nenhum — sem impacto na integridade.
Availability: Nenhum — sem impacto na disponibilidade.

Seu projeto está afetado?

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátis Buscar CVEs

Java / Maven

Detecte esta CVE no seu projeto

Envie seu arquivo pom.xml e descubra na hora se você está afetado.

Enviar pom.xmlFormatos suportados: pom.xml · build.gradle