Veracode static scan found 2 HIGH security flaw with SQL Injection code in the odata4j-dist-0.7.0.jar
512 views
Skip to first unread message
Suyog Narkhede
May 11, 2016, 3:29:09 AM5/11/16
to odata4j-discuss
class name are
1. ExecuteCountQueryCommand.java line no 18
2. ExecuteJPQLQueryCommand.java line no 37
1. ExecuteCountQueryCommand.java line no 18
2. ExecuteJPQLQueryCommand.java line no 37
Artem Smotrakov
Mar 30, 2020, 11:54:22 AM3/30/20
to odata4j-discuss
I had a look at the mentioned classes, and the issues look valid to me.
Unfortunately, it looks like that odata4j is no longer maintained. I couldn't find any security point of contact with whom I could discuss the issue.
I see two possible mitigations here:
1. Migrate to other OData implementations (for example, see Apache Olingo).
2. Don't use org.odata4j.producer.jpa package.
I'll try to request a CVE for the issues. It may help to bring attention to the problem.
Artem
Reply all
Reply to author
Forward
0 new messages