CVE-2016-6652 — Improper Neutralization of Special Elements used in an SQL Command Pivotal Spri

Description

SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.

How to fix CVE-2016-6652

To remediate CVE-2016-6652, upgrade the affected package to a fixed version below.

—upgrade to 1.9.6 or later

Is CVE-2016-6652 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.9.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-6652
WEBgithub.com/spring-projects/spring-data-jpa/commit/b8e7fe
WEBjira.spring.io/browse/DATAJPA-965
WEBpivotal.io/security/cve-2016-6652
WEBsecurity.gentoo.org