High severityOSV Advisory· Published Nov 20, 2024· Updated Jun 17, 2026
CVE-2024-49203
CVE-2024-49203
Description
Querydsl 5.1.0 and OpenFeign Querydsl 6.8 allows SQL/HQL injection in orderBy in JPAQuery. NOTE: this is disputed by a Querydsl community member because the product is not intended to defend against a developer who uses untrusted input directly in query construction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.github.openfeign.querydsl:querydsl-jpaMaven | >= 6.0.0.M1, < 6.10.1 | 6.10.1 |
io.github.openfeign.querydsl:querydsl-aptMaven | >= 6.0.0.M1, < 6.10.1 | 6.10.1 |
io.github.openfeign.querydsl:querydsl-jpaMaven | < 5.6.1 | 5.6.1 |
io.github.openfeign.querydsl:querydsl-aptMaven | < 5.6.1 | 5.6.1 |
com.querydsl:querydsl-jpaMaven | <= 5.1.0 | — |
com.querydsl:querydsl-aptMaven | <= 5.1.0 | — |
Affected products
5- ghsa-coords4 versionspkg:maven/com.querydsl/querydsl-aptpkg:maven/com.querydsl/querydsl-jpapkg:maven/io.github.openfeign.querydsl/querydsl-aptpkg:maven/io.github.openfeign.querydsl/querydsl-jpa
<= 5.1.0+ 3 more
- (no CPE)range: <= 5.1.0
- (no CPE)range: <= 5.1.0
- (no CPE)range: >= 6.0.0.M1, < 6.10.1
- (no CPE)range: >= 6.0.0.M1, < 6.10.1
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-6q3q-6v5j-h6vgnvdADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-49203ghsaADVISORY
- github.com/OpenFeign/querydsl/releases/tag/5.6.1nvdWEB
- github.com/OpenFeign/querydsl/releases/tag/6.10.1nvdWEB
- github.com/OpenFeign/querydsl/security/advisories/GHSA-6q3q-6v5j-h6vgghsaWEB
- github.com/querydsl/querydsl/issues/3757nvdWEB
- github.com/querydsl/querydsl/releases/tag/QUERYDSL_5_1_0nvdWEB
- www.csirt.sk/querydsl-java-library-vulnerability-permits-sql-hql-injection.htmlnvdWEB
- github.com/OpenFeign/querydsl/pull/742nvd
- github.com/OpenFeign/querydsl/pull/743nvd
- github.com/spring-projects/spring-data-jpa/issues/3693nvd
News mentions
0No linked articles in our index yet.