CVE-2019-3797 Information

Description

This affects Spring Data JPA in versions up to and including 2.1.5 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’ ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://pivotal.io/security/cve-2019-3797

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3