CVE-2016-6652
Summary
| CVE | CVE-2016-6652 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2016-10-05 16:59:00 UTC |
|---|
| Updated | 2017-07-01 01:30:00 UTC |
|---|
| Description | SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| [DATAJPA-965] Mapping Sort instances to ORDER BY expressions should be restricted to fields for manually defined queries - Spring JIRA |
CONFIRM |
jira.spring.io |
Mitigation, Vendor Advisory |
| Pivotal Spring Data JPA CVE-2016-6652 SQL Injection Vulnerability |
BID |
www.securityfocus.com |
|
| CVE-2016-6652 Spring Data JPA Blind SQL Injection Vulnerability | Security | Pivotal |
CONFIRM |
pivotal.io |
Vendor Advisory |
| DATAJPA-965 - Fix potential blind SQL injection in Sort when used in … · spring-projects/spring-data-jpa@b8e7fec · GitHub |
CONFIRM |
github.com |
Patch |
| MariaDB and MySQL: Multiple vulnerabilities (GLSA 201701-01) — Gentoo security |
GENTOO |
security.gentoo.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 710332 Gentoo Linux MariaDB and MySQL Multiple Vulnerabilities (GLSA 201701-01)
