As a result, malicious users can craft a malicious query that will be executed against the database by a user with the appropriate permissions. This can lead to sensitive data being exposed in the database that can be used for nefarious purposes. This is a high priority issue for the Spring Data team, and we recommend that you upgrade your application to use the fully fledged driver as soon as possible.

What data is vulnerable? Any data that uses the @Query or @Aggregation annotation can be vulnerable to this issue. This includes: fields of your data model

a Spring Data collection

a Spring Data property

a Spring Data property annotated with @Value

a Spring Data annotation You can view a full list of data that is currently supported by Spring Data on MongoDB in the Spring documentation. As long as you are using the Spring Data MongoDB driver and a version that supports SpEL expressions, you are vulnerable to this issue. How can I fix this? There are a few options: Upgrade your application to use the fully fledged driver, as soon as possible

Use a version of the driver that does not support SpEL expressions (currently, only the 3.1 release does)

Use a version that does not support SpEL expressions and use a different query method that does not support SpEL expressions (currently, only the 3.1 release does)

What you should do to fix this issue?

Upgrade your application to use the fully fledged driver, as soon as possible

What is SpEL?

SpEL stands for Spring Expression Language. It is a programming language used by the Spring framework to evaluate and generate SQL statements dynamically at runtime.

Timeline

Published on: 06/23/2022 17:15:00 UTC
Last modified on: 06/30/2022 19:13:00 UTC

References