CVE-2022-24815: 
JavaScript vulnerability analysis and mitigation

JHipster, a development platform for generating and deploying modern web applications and microservice architectures, was found to contain a SQL Injection vulnerability (CVE-2022-24815) affecting applications generated with the 'reactive with Spring WebFlux' option enabled and SQL databases using r2dbc. The vulnerability was discovered in versions 7.0.0 through 7.8.0 and patched in version 7.8.1. Applications created without 'reactive with Spring WebFlux' and applications with NoSQL databases are not affected, though microservice Gateways may be impacted as they are reactive by default (GitHub Advisory).

The vulnerability exists in the findAllBy(Pageable pageable, Criteria criteria) method of entity repository classes generated in affected applications. The issue stems from unsanitized where clauses using Criteria for queries, where user input is passed directly through the criteria. The root cause lies in the EntityManager.java class when creating the where clause via Conditions.just(criteria.toString()). The just method accepts the literal string provided, and Criteria's toString method returns a plain string without sanitization, allowing any SQL input to be executed (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 8.1 HIGH (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

When exploited, this vulnerability allows attackers to perform SQL injection attacks that could potentially lead to unauthorized database access, data manipulation, or even database structure modification. For example, an attacker could craft malicious input that would allow them to execute arbitrary SQL commands, including dropping tables or accessing sensitive data (GitHub Issue).

The issue has been patched in version 7.8.1 by removing the findAllBy(Pageable pageable, Criteria criteria) method from entity repositories and replacing org.springframework.data.relational.core.query.Criteria support with org.springframework.data.relational.core.sql.Condition. For users unable to upgrade, it is recommended to be careful when combining criterias and conditions and avoid passing user-provided criteria to the createSelect method of EntityManager. Users with existing reactive applications generated by impacted versions should audit for use of Criteria and take appropriate actions (GitHub Advisory).