Miggo Logo
Miggo Vulnerability Database
CVE-2020-5428

CVE-2020-5428: SQL Injection in Spring Cloud Task

6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-5428
GHSA ID
GHSA-878w-7gxp-mc63
EPSS Score
0.50791%
CWE
CWE-89
Published
2/9/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.springframework.cloud:spring-cloud-task-dependenciesmaven< 2.2.52.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of sort parameters in SQL queries within TaskExplorer. Analysis of Spring Data patterns indicates:

  1. ORDER BY clause construction methods (createOrderClause) would be vulnerable to injection if using raw user input
  2. Public TaskExplorer interface methods (getTaskExecutions) serve as the entry point for malicious sort parameters
  3. The JDBC implementation layer would be where unsanitized parameters meet SQL string construction While exact patch details aren't shown, the CWE-89 classification and Spring Cloud Task architecture strongly suggest these are the vulnerable code paths that would appear in call stacks during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *ppli**tions usin* Sprin* *lou* T*sk *.*.*.R*L**S* *n* **low, m*y ** vuln*r**l* to SQL inj**tion w**n *x*r*isin* **rt*in lookup qu*ri*s in t** T*sk*xplor*r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* sort p*r*m*t*rs in SQL qu*ri*s wit*in T*sk*xplor*r. *n*lysis o* Sprin* **t* p*tt*rns in*i**t*s: *. OR**R *Y *l*us* *onstru*tion m*t*o*s (*r**t*Or**r*l*us*) woul* ** vuln*r**l* to inj**tion i* usin* r*