CVE-2019-3797 LOW

CVE-2019-3797: Additional information exposure with Spring Data JPA derived queries

Vendor Spring

Product Spring Boot

Weakness CWE-89 · SQLi

Published May 6, 2019

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

3.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.

Key dates

02Disclosure timeline

May 6, 2019 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-3797

Related vulnerabilities

Identifiers

CVE CVE-2019-3797

CWE CWE-89

CVSS 3.5 / LOW

Affected versions

Vendor Spring

Product Spring Boot

Affected ≥ 2.0 and < v2.0.9.RELEASE

Vendor Spring

Product Spring Boot

Affected ≥ 1.5 and < v1.5.20.RELEASE

Vendor Spring

Product Spring Boot

Affected ≥ 2.1 and < v2.1.4.RELEASE

CVE-2019-3797: Additional information exposure with Spring Data JPA derived queries

01Description

02Disclosure timeline

03References

04Related CVE