CVE-2016-11024: 
Java vulnerability analysis and mitigation

odata4j 0.7.0 contains a SQL injection vulnerability in ExecuteJPQLQueryCommand.java. The vulnerability was discovered in March 2020 and affects the core functionality of the software. The product is noted to be discontinued, indicating no official patches are available (NVD).

The vulnerability exists in the ExecuteJPQLQueryCommand.java file, specifically around line 37, allowing for SQL injection attacks. The severity of this vulnerability is rated as CRITICAL with a CVSS v3.1 Base Score of 9.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD).

The SQL injection vulnerability could allow attackers to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized access, data manipulation, or data exfiltration. Given the CVSS score of 9.8, this vulnerability represents a critical risk to systems using the affected software (NVD).

Since the product is discontinued, there are two recommended mitigations: 1) Migrate to alternative OData implementations, such as Apache Olingo, or 2) Avoid using the org.odata4j.producer.jpa package entirely (Google Groups).

The vulnerability was discussed in the odata4j-discuss Google Group, where it was confirmed as a valid security issue. The discussion also highlighted the abandoned state of the project, with no security contacts available for coordinated disclosure (Google Groups).