Lifecycle Timeline
1Blast Radius
ecosystem impact- 145 maven packages depend on com.querydsl:querydsl-apt (117 direct, 28 indirect)
- 267 maven packages depend on com.querydsl:querydsl-jpa (141 direct, 126 indirect)
- 3 maven packages depend on io.github.openfeign.querydsl:querydsl-apt (3 direct, 0 indirect)
- 1 maven packages depend on io.github.openfeign.querydsl:querydsl-jpa (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 5.1.0 and other introduced versions.
DescriptionCVE.org
Querydsl 5.1.0 and OpenFeign Querydsl 6.8 allows SQL/HQL injection in orderBy in JPAQuery. NOTE: this is disputed by a Querydsl community member because the product is not intended to defend against a developer who uses untrusted input directly in query construction.
AnalysisAI
Querydsl 5.1.0 and OpenFeign Querydsl 6.8 allows SQL/HQL injection in orderBy in JPAQuery. Public exploit code available and no vendor patch available.
Technical ContextAI
Querydsl 5.1.0 and OpenFeign Querydsl 6.8 allows SQL/HQL injection in orderBy in JPAQuery. NOTE: this is disputed by a Querydsl community member because the product is not intended to defend against a developer who uses untrusted input directly in query construction.
Affected ProductsAI
See vendor advisory for affected versions.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today