CVE-2019-3802 : This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1

This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied.

Published 2019-06-03 14:29:00

Updated 2021-10-29 19:51:49

Source Dell

View at NVD, CVE.org

Products affected by CVE-2019-3802

Pivotal Software » Spring Data Java Persistance Api
Versions from including (>=) 2.0.0 and up to, including, (<=) 2.0.14
cpe:2.3:a:pivotal_software:spring_data_java_persistance_api:*:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Spring Data Java Persistance Api
Versions from including (>=) 1.11.0 and up to, including, (<=) 1.11.21
cpe:2.3:a:pivotal_software:spring_data_java_persistance_api:*:*:*:*:*:*:*:*
Matching versions
Pivotal Software » Spring Data Java Persistance Api
Versions from including (>=) 2.1.0 and up to, including, (<=) 2.1.7
cpe:2.3:a:pivotal_software:spring_data_java_persistance_api:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-3802

EPSS FAQ

0.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 45 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-3802

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
3.5	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N	2.1	1.4	Dell
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2019-3802

CWE-155 Improper Neutralization of Wildcards or Matching Symbols

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.

Assigned by: security_alert@emc.com (Secondary)

References for CVE-2019-3802

https://pivotal.io/security/cve-2019-3802

Additional information exposure with Spring Data JPA example matcher | Security | Pivotal
Vendor Advisory

Jump to

Vulnerability Details : CVE-2019-3802

Products affected by CVE-2019-3802

Exploit prediction scoring system (EPSS) score for CVE-2019-3802

CVSS scores for CVE-2019-3802

CWE ids for CVE-2019-3802

References for CVE-2019-3802