VDB
CVE-2019-3797
CVE-2019-3797
PUBLISHED
CVSS 3.5 LOW
Reported by dell · Published May 6, 2019
This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.
Risk Scores
CVSS v3.0
3.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Spring | Spring Boot | 2.0, 1.5, 2.1 |
| Spring | Spring Boot | 2.0, 1.5, 2.1 |
| Maven | org.springframework.data:spring-data-jpa | 1.11.0, 1.11.0 |
Timeline
- May 6, 2019 CVE Published
- Feb 10, 2020 CVE Updated
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
References
- x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2019-3797 advisory