This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied.

Affected Packages

Maven org.springframework.data:spring-data-jpa

Affected versions: 2.1.0 (fixed in 2.1.8)

Maven org.springframework.data:spring-data-jpa

Affected versions: 2.0.0 (fixed in 2.1.8)

Maven org.springframework.data:spring-data-jpa

Affected versions: 0 (fixed in 1.11.22)

Related CVEs

CVE-2019-3802

Key Information

GHSA ID

GHSA-xggx-fx6w-v7ch

Published

June 4, 2019 3:42 PM

Last Modified

August 4, 2021 8:41 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.springframework.data:spring-data-jpa

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.