Veracode static scan found 2 HIGH security flaw with SQL Injection code in the odata4j-dist-0.7.0.jar

254 views
Skip to first unread message

Suyog Narkhede

unread,
May 11, 2016, 3:29:09 AM5/11/16
to odata4j-discuss
 class name are
1. ExecuteCountQueryCommand.java line no 18
2. ExecuteJPQLQueryCommand.java line no 37

Artem Smotrakov

unread,
Mar 30, 2020, 11:54:22 AM3/30/20
to odata4j-discuss
I had a look at the mentioned classes, and the issues look valid to me.

Unfortunately, it looks like that odata4j is no longer maintained. I couldn't find any security point of contact with whom I could discuss the issue.

I see two possible mitigations here:
1. Migrate to other OData implementations (for example, see Apache Olingo).
2. Don't use org.odata4j.producer.jpa package.

I'll try to request a CVE for the issues. It may help to bring attention to the problem.

Artem 
Reply all
Reply to author
Forward
0 new messages