DMC/scipro
7
0
Fork 0
Code Issues 20 Pull Requests 1 Actions Projects 1 Wiki Activity

Suppress warning about CVE-2024-49203 #71

Merged
tozh4728 merged 1 commits from cve-2024-49203 into develop 2025-01-09 12:54:44 +01:00
Conversation 2 Commits 1 Files Changed 1 +18

1 Commits

Author SHA1 Message Date
Andreas Svanberg
5540b4160b Suppress warning about CVE-2024-49203
All checks were successful
Deploy to branch.dsv.su.se / deploy (pull_request) Successful in 2m31s
Details
Build and test / build-and-test (push) Successful in 15m45s
Details
Remove branch deployment from branch.dsv.su.se / cleanup (pull_request) Successful in 17s
Details 
https://nvd.nist.gov/vuln/detail/CVE-2024-49203
https://github.com/querydsl/querydsl/issues/3757

Basically if you allow untrusted user input to be used in the "ORDER BY" clause
you can be vulnerable to SQL injection.

I believe this is nonsense and akin to saying every Java application has a
security vulnerability because JDBC allows you to execute arbitrary SQL if you
do not properly use PreparedStatement with parameters over a string-concatenated
Statement.

Even if this is considered a valid vulnerability we do not, currently, allow
untrusted user input to be used in the "ORDER BY" clause.
 2024-12-20 14:13:49 +01:00