Open mend-bolt-for-github[bot] opened 4 years ago
Issue-Label Bot is automatically applying the label bug
to this issue, with a confidence of 0.87. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!
Links: app homepage, dashboard and code for this bot.
CVE-2019-3802 - Medium Severity Vulnerability
Spring Data module for JPA repositories.
Library home page: https://projects.spring.io/spring-data-jpa
Path to dependency file: /tmp/ws-scm/assessment/pom.xml
Path to vulnerable library: /root/.m2/repository/org/springframework/data/spring-data-jpa/2.1.6.RELEASE/spring-data-jpa-2.1.6.RELEASE.jar
Dependency Hierarchy: - spring-boot-starter-data-jpa-2.1.4.RELEASE.jar (Root Library) - :x: **spring-data-jpa-2.1.6.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: 0b0141cbd532a1b08f6a2060584c3620fcb2527e
This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied.
Publish Date: 2019-06-03
URL: CVE-2019-3802
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3802
Release Date: 2019-06-03
Fix Resolution: 1.11.22.RELEASE,2.1.8.RELEASE
Step up your Open Source Security Game with WhiteSource here