CVE-2022-24815 is a SQL Injection vulnerability identified in the JHipster development platform, specifically affecting the generator-jhipster tool versions from 7.0.0 up to but not including 7.8.1. JHipster is widely used for rapidly generating modern web applications and microservice architectures. The vulnerability arises when applications are generated with the "reactive with Spring WebFlux" option enabled and use an SQL database via the R2DBC (Reactive Relational Database Connectivity) driver. Applications generated without this reactive option or those using NoSQL databases are not affected. The core issue lies in the way the EntityManager.java class constructs SQL queries: the method findAllBy(Pageable pageable, Criteria criteria) in the generated entity repository classes uses Criteria objects to build the WHERE clause. However, the Criteria's toString() method returns a plain string representation of the criteria, which is then passed directly into the Conditions.just() method without sanitization. Conditions.just() accepts the literal string as-is, allowing malicious user input embedded in the criteria to be executed as part of the SQL query. This improper neutralization of special elements (CWE-89) enables attackers to inject arbitrary SQL commands, potentially leading to unauthorized data access or manipulation. Microservice Gateways generated with the affected versions are also vulnerable since they are reactive by default. The vulnerability has been patched in version 7.8.1. For users unable to upgrade, caution is advised when combining criteria and conditions, as the root cause is the unsanitized string concatenation in the query construction process. No known exploits have been reported in the wild to date.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of data managed by applications generated using the affected JHipster versions with reactive Spring WebFlux and SQL databases. Exploitation could allow attackers to execute arbitrary SQL commands, leading to unauthorized data disclosure, data modification, or even deletion. This could compromise sensitive business information, customer data, or critical operational data. Given that JHipster is popular among enterprises and startups for rapid application development, especially in sectors like finance, healthcare, and public services, exploitation could disrupt services or lead to regulatory compliance violations under GDPR. The reactive microservice architectures commonly used in modern cloud-native deployments mean that compromised components could serve as entry points to broader network segments, amplifying the impact. Although no active exploits are known, the ease of injection via unsanitized criteria strings means that attackers with access to input fields or APIs that accept criteria parameters could exploit this vulnerability. This is particularly concerning for organizations exposing such services externally or to third-party integrations.

1. Immediate upgrade to JHipster generator-jhipster version 7.8.1 or later, where the vulnerability is patched. 2. For organizations unable to upgrade promptly, implement strict input validation and sanitization on all user inputs that influence criteria objects used in queries. Avoid passing raw user input directly into criteria without sanitization. 3. Review and refactor any custom code that constructs Criteria objects or uses Conditions.just() with user input to ensure proper escaping or parameterization. 4. Employ Web Application Firewalls (WAFs) with rules designed to detect and block SQL injection attempts targeting reactive Spring WebFlux applications. 5. Conduct thorough code audits and penetration testing focusing on reactive microservices generated by JHipster to identify any injection vectors. 6. Monitor application logs and database query logs for anomalous or unexpected query patterns indicative of injection attempts. 7. Limit database user privileges for applications to the minimum necessary to reduce potential damage from successful injection. 8. Educate developers on secure coding practices related to reactive programming and query construction to prevent similar issues in the future.