Querydsl: HQL Injection Vulnerability (CVE-2024-49203) – Critical

2024-11-27

Form:

Platform: Querydsl
Version: Not specified (vulnerable since initial versions)
Vulnerability: HQL Injection
Severity: Critical
Date: November 21, 2024 (CVE published)

What Undercode Says:

This blog post highlights a critical HQL injection vulnerability within the Querydsl library. A malicious user can inject HQL queries through the “orderBy” parameter, potentially leading to information disclosure and Denial-of-Service (DoS) attacks.

The vulnerability resides in the way user-supplied input is processed when constructing order clauses within HQL queries. An attacker can craft an “orderBy” parameter that includes additional HQL statements.

The provided Proof-of-Concept (PoC) showcases how an attacker can leverage this vulnerability to sleep the database for 10 seconds, demonstrating potential DoS attacks.

This vulnerability is present since the inception of the Querydsl project and has been assigned the preliminary CVE identifier CVE-2024-49203.

It is crucial to update Querydsl to a patched version that addresses this vulnerability to mitigate the risk of information disclosure and DoS attacks.

References:

Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Scroll to Top