Medium severity5.6NVD Advisory· Published Oct 5, 2016· Updated May 6, 2026

CVE-2016-6652

Description

SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.data:spring-data-jpaMaven	< 1.9.6	1.9.6
org.springframework.data:spring-data-jpaMaven	>= 1.10.0, < 1.10.4	1.10.4

Affected products

Pivotal Software/Spring Data Jpa2 versions
cpe:2.3:a:pivotal_software:spring_data_jpa:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:pivotal_software:spring_data_jpa:*:*:*:*:*:*:*:*range: <=1.9.4
- cpe:2.3:a:pivotal_software:spring_data_jpa:1.10.2:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/spring-projects/spring-data-jpa/commit/b8e7fenvdPatchWEB
github.com/advisories/GHSA-xr4v-28rm-pvgwghsaADVISORY
jira.spring.io/browse/DATAJPA-965nvdMitigationVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2016-6652ghsaADVISORY
pivotal.io/security/cve-2016-6652nvdVendor AdvisoryWEB
www.securityfocus.com/bid/93276nvdWEB
security.gentoo.org/glsa/201701-01nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.364
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000