Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-commons/1.10.1.RELEASE/spring-data-commons-1.10.1.RELEASE.jar
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.
Spring Data module for JPA repositories.
Library home page: http://projects.spring.io/spring-data-jpa
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-jpa/1.8.1.RELEASE/spring-data-jpa-1.8.1.RELEASE.jar
Found in HEAD commit: e05a354f76ea8825b79bebaf46a05fc37d1979e0
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2018-1273
### Vulnerable Library - spring-data-commons-1.10.1.RELEASE.jarGlobal parent pom.xml to be used by Spring Data modules
Library home page: http://www.spring.io/spring-data
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-commons/1.10.1.RELEASE/spring-data-commons-1.10.1.RELEASE.jar
Dependency Hierarchy: - spring-data-jpa-1.8.1.RELEASE.jar (Root Library) - :x: **spring-data-commons-1.10.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: e05a354f76ea8825b79bebaf46a05fc37d1979e0
Found in base branch: vp-rem
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsSpring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
Publish Date: 2018-04-11
URL: CVE-2018-1273
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2018-1273
Release Date: 2018-04-11
Fix Resolution (org.springframework.data:spring-data-commons): 1.13.11.RELEASE
Direct dependency fix Resolution (org.springframework.data:spring-data-jpa): 1.11.11.RELEASE
In order to enable automatic remediation, please create workflow rules
CVE-2016-6652
### Vulnerable Library - spring-data-jpa-1.8.1.RELEASE.jarSpring Data module for JPA repositories.
Library home page: http://projects.spring.io/spring-data-jpa
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-jpa/1.8.1.RELEASE/spring-data-jpa-1.8.1.RELEASE.jar
Dependency Hierarchy: - :x: **spring-data-jpa-1.8.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: e05a354f76ea8825b79bebaf46a05fc37d1979e0
Found in base branch: vp-rem
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsSQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.
Publish Date: 2016-10-05
URL: CVE-2016-6652
### CVSS 3 Score Details (5.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6652
Release Date: 2016-10-05
Fix Resolution: 1.9.6.RELEASE
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules