search

amaybaum-dev / remediate-test

0 stars 1 forks source link

spring-data-jpa-1.8.1.RELEASE.jar: 1 vulnerabilities (highest severity is: 5.6) unreachable #27

Open dev-mend-for-github-com[bot] opened 9 months ago

dev-mend-for-github-com[bot] commented 9 months ago
Vulnerable Library - spring-data-jpa-1.8.1.RELEASE.jar

Spring Data module for JPA repositories.

Library home page: http://projects.spring.io/spring-data-jpa

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-jpa/1.8.1.RELEASE/spring-data-jpa-1.8.1.RELEASE.jar

Found in HEAD commit: 15d4a5374096c3ec1a1b4e003d3db96dd0b60fd2

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-data-jpa version) Remediation Possible** Reachability
CVE-2016-6652 Medium 5.6 spring-data-jpa-1.8.1.RELEASE.jar Direct 1.9.6.RELEASE

Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2016-6652 ### Vulnerable Library - spring-data-jpa-1.8.1.RELEASE.jar

Spring Data module for JPA repositories.

Library home page: http://projects.spring.io/spring-data-jpa

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-jpa/1.8.1.RELEASE/spring-data-jpa-1.8.1.RELEASE.jar

Dependency Hierarchy: - :x: **spring-data-jpa-1.8.1.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: 15d4a5374096c3ec1a1b4e003d3db96dd0b60fd2

Found in base branch: vp-rem

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.

Publish Date: 2016-10-05

URL: CVE-2016-6652

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6652

Release Date: 2016-10-05

Fix Resolution: 1.9.6.RELEASE

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.