CVE-2022-22980 The application is vulnerable to SpEL injection if the @Query or @Aggregation-annotated query methods are used with SpEL expressions that contain query parameter placeholders for value binding.

CVE-2022-22980 The application is vulnerable to SpEL injection if the @Query or @Aggregation-annotated query methods are used with SpEL expressions that contain query parameter placeholders for value binding.

As a result, malicious users can craft a malicious query that will be executed against the database by a user with the appropriate permissions. This can lead to sensitive data being exposed in the database that can be used for nefarious purposes. This is a high priority issue for the Spring Data team, and we recommend that you upgrade your application to use the fully fledged driver as soon as possible.

What data is vulnerable? Any data that uses the @Query or @Aggregation annotation can be vulnerable to this issue. This includes: fields of your data model

a Spring Data collection

a Spring Data property

a Spring Data property annotated with @Value

a Spring Data annotation You can view a full list of data that is currently supported by Spring Data on MongoDB in the Spring documentation. As long as you are using the Spring Data MongoDB driver and a version that supports SpEL expressions, you are vulnerable to this issue. How can I fix this? There are a few options: Upgrade your application to use the fully fledged driver, as soon as possible

Use a version of the driver that does not support SpEL expressions (currently, only the 3.1 release does)

Use a version that does not support SpEL expressions and use a different query method that does not support SpEL expressions (currently, only the 3.1 release does)

What you should do to fix this issue?

Upgrade your application to use the fully fledged driver, as soon as possible

What is SpEL?

SpEL stands for Spring Expression Language. It is a programming language used by the Spring framework to evaluate and generate SQL statements dynamically at runtime.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe