CVE-2019-3797
LOWSpring Data JPA <= 2.1.5, 2.0.13, 1.11.19 - Exposure of Sensitive Information via Derived Query Predicates
Title source: llmDescription
This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2019-3797
Scores
CVSS v3
3.5
EPSS
0.0109
EPSS Percentile
61.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
CWE-89
Status
published
Products (2)
org.springframework.data/spring-data-jpa
0 - 1.11.20Maven
pivotal_software/spring_data_java_persistence_api
1.11.0 - 1.11.19
Published
May 06, 2019
Tracked Since
Feb 18, 2026