{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-03T22:31:51.686","vulnerabilities":[{"cve":{"id":"CVE-2016-6652","sourceIdentifier":"security_alert@emc.com","published":"2016-10-05T16:59:04.757","lastModified":"2025-04-12T10:46:40.837","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call."},{"lang":"es","value":"Vulnerabilidad de inyección SQL en Pivotal Spring Data JPA en versiones anteriores a 1.9.6 (Gosling SR6) y 1.10.x en versiones anteriores a 1.10.4 (Hopper SR4), cuando se utiliza con un repositorio que define una consulta String usando la anotación @Query, permite a atacantes ejecutar comandos JPQL arbitrarios a través de una instancia de clase con una llamada a la función."}],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":5.6,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.2,"impactScore":3.4}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pivotal_software:spring_data_jpa:*:*:*:*:*:*:*:*","versionEndIncluding":"1.9.4","matchCriteriaId":"A9D14B1D-9109-44A3-857D-DC0B5D231EB2"},{"vulnerable":true,"criteria":"cpe:2.3:a:pivotal_software:spring_data_jpa:1.10.2:*:*:*:*:*:*:*","matchCriteriaId":"6731D068-C551-4607-A722-E2AD21268531"}]}]}],"references":[{"url":"http://www.securityfocus.com/bid/93276","source":"security_alert@emc.com"},{"url":"https://github.com/spring-projects/spring-data-jpa/commit/b8e7fe","source":"security_alert@emc.com","tags":["Patch"]},{"url":"https://jira.spring.io/browse/DATAJPA-965","source":"security_alert@emc.com","tags":["Mitigation","Vendor Advisory"]},{"url":"https://pivotal.io/security/cve-2016-6652","source":"security_alert@emc.com","tags":["Vendor Advisory"]},{"url":"https://security.gentoo.org/glsa/201701-01","source":"security_alert@emc.com"},{"url":"http://www.securityfocus.com/bid/93276","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://github.com/spring-projects/spring-data-jpa/commit/b8e7fe","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://jira.spring.io/browse/DATAJPA-965","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mitigation","Vendor Advisory"]},{"url":"https://pivotal.io/security/cve-2016-6652","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]},{"url":"https://security.gentoo.org/glsa/201701-01","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}