A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
Do it affect legacy Criteria/DetachedCretiera?
The CVE for this implies this issue is fixed in 5.3.18, but this issue is not marked as fixed in that version (and that version does not appear to have been released).
Is 5.3 affected, and if so, is it planned to backport a fix for this to that branch? Right now, I don’t see an equivalent to on the 5.3 branch.