CVE-2024-49203: 
Java vulnerability analysis and mitigation

Querydsl 5.1.0 and OpenFeign Querydsl 6.8 contains a SQL/HQL injection vulnerability in the orderBy functionality of JPAQuery. The vulnerability was discovered by CSIRT.SK security analysts and was assigned CVE-2024-49203. This issue is disputed by a Querydsl community member because the product is not intended to defend against a developer who uses untrusted input directly in query construction (NVD, CSIRT).

The vulnerability exists due to insufficient input sanitization in the orderBy(OrderSpecifier order) function. When the order variable is generated from user input using PathBuilder.get() method, it allows injection of arbitrary HQL queries. The vulnerability affects multiple components including querydsl-jpa 5.1.0, querydsl-apt 5.1.0, and OpenFeign querydsl 6.8. The issue was fixed in versions 5.6.1 and 6.10.1 (GitHub Advisory, CSIRT).

The vulnerability can lead to information disclosure through blind SQL injection techniques, allowing attackers to extract data from the database. Additionally, it could potentially result in denial of service attacks (CSIRT).

The issue has been fixed in Querydsl versions 5.6.1 and 6.10.1. Users are recommended to upgrade to these patched versions. For those unable to upgrade immediately, it is recommended to implement additional treatment of user input following secure development best practices (OpenFeign Release, OpenFeign Release).