Spring Data JPA Information Disclosure Vulnerability

Summary

This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied.

Credit:

The information has been provided by Thaveethu Vignesh

The original article can be found at: https://pivotal.io/security/cve-2019-3802


Details

Spring Data JPA is prone to a gain information vulnerability.This allows local or remote attackers to gain privileges via a malicious program in the affected application

Vulnerable Systems:

  • Spring Data JPA 2.1.6
  • Spring Data JPA 2.0.14
  • Spring Data JPA 1.11.20

CVE Information:

CVE-2019-3802

Disclosure Timeline:
Publish Date:06/03/2019

Categories: News