平台
java
组件
spring-data-jpa
修复版本
1.11.22.RELEASE
2.1.8.RELEASE
2.1.8.RELEASE
CVE-2019-3802 affects Spring Data JPA versions up to 2.1.8.RELEASE. This vulnerability stems from the ExampleMatcher component, specifically when using STARTING, ENDING, or CONTAINING string matchers. A malicious example value can cause the query to return more results than intended, potentially exposing sensitive data. A fix is available in version 2.1.8.RELEASE.
The primary impact of CVE-2019-3802 is information disclosure. An attacker could craft a malicious example value to trigger an excessively broad query, retrieving a larger-than-expected dataset from the database. This could expose sensitive information that the attacker would not normally be able to access. The severity is rated LOW, suggesting the attack requires specific conditions and is unlikely to lead to widespread compromise. However, the potential for data exposure warrants prompt remediation.
CVE-2019-3802 was publicly disclosed on June 3, 2019. There are no known active exploitation campaigns targeting this vulnerability. No public proof-of-concept exploits have been widely published. The vulnerability is not currently listed on the CISA KEV catalog.
Applications utilizing Spring Data JPA versions 1.11 through 2.1.8.RELEASE, particularly those employing ExampleMatcher with STARTING, ENDING, or CONTAINING string matchers, are at risk. This includes web applications, microservices, and backend systems that rely on Spring Data JPA for data access.
• java / server:
# Check Spring Data JPA version
java -jar your_application.jar | grep 'Spring Data JPA'• java / server:
# Inspect application logs for unusually large query results or unexpected data retrieval.
# Look for patterns related to ExampleMatcher usage.disclosure
漏洞利用状态
EPSS
0.24% (48% 百分位)
CVSS 向量
The recommended mitigation for CVE-2019-3802 is to upgrade to Spring Data JPA version 2.1.8.RELEASE or later. If upgrading is not immediately feasible, consider restricting the use of STARTING, ENDING, and CONTAINING string matchers within ExampleMatcher. Carefully validate and sanitize any user-supplied input used in example values to prevent malicious crafting. While a WAF cannot directly address this vulnerability, it can be configured to monitor for unusually large query responses and potentially block them.
Actualice Spring Data JPA a la versión 2.1.8.RELEASE o superior, o a la versión 1.11.22.RELEASE o superior. Esto corrige la vulnerabilidad en ExampleMatcher que podría devolver más resultados de los esperados con valores de ejemplo maliciosos.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2019-3802 is a LOW severity vulnerability in Spring Data JPA affecting versions up to 2.1.8.RELEASE. Malicious example values can cause excessive query results, potentially exposing sensitive data.
You are affected if you are using Spring Data JPA versions 1.11 through 2.1.8.RELEASE and utilize ExampleMatcher with STARTING, ENDING, or CONTAINING string matchers.
Upgrade to Spring Data JPA version 2.1.8.RELEASE or later. As a temporary workaround, restrict the use of vulnerable ExampleMatcher string matchers.
There are currently no known active exploitation campaigns targeting CVE-2019-3802, nor are there publicly available proof-of-concept exploits.
Refer to the Spring Data JPA release notes and security advisories on the Spring project website: https://spring.io/security
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 pom.xml 文件,立即知道是否受影响。